Re: [TLS] ML-KEM key agreement for TLS 1.3
Deirdre Connolly <durumcrustulum@gmail.com> Thu, 14 March 2024 20:03 UTC
Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75ACBC14F6BD for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 13:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5oG-eBCd8Yj for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 13:03:32 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91F4BC14F5F9 for <tls@ietf.org>; Thu, 14 Mar 2024 13:03:32 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-563c595f968so1800142a12.0 for <tls@ietf.org>; Thu, 14 Mar 2024 13:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710446610; x=1711051410; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aoXg6BsirodvH06GeCKT8NPB637f+zY33puNwc3IwGM=; b=M/rGKvCSHYrVGYi0U30Y+L8UpIDnEipqUIjeIVoNv5Dqs935ZzjkNJwMyjs/hzLcSS vTLjXSDwjsK587+Nqh+Hys1aUY6HNLFwcObTpWi2Q2rJ0Oh38ZyMBmqkXvrfRkDeswVF /TuUwNlwdJwHq//0Z+W2ouhJ5PvFraxJZkobkayXZsuwfU/3dgkvij9+XkT/x5nekToa CPoXai/XNDXoI3LS6J+RE8drOwV2KBq/WN6oiG/dtJ4zetmY5ow37Qisns1Nyeap/1hX PoUizXOm+zoD+COMu44gCdbQJelrdlPWzix7KPIS4LDi7p9lJhwqRD8uogM977hVxiaF V8RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710446610; x=1711051410; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aoXg6BsirodvH06GeCKT8NPB637f+zY33puNwc3IwGM=; b=RLEu6aPx0ql6j57uS3N6jXttBcmcf7aIjLH0yExb9S7z/w5q9hYvYGcLUd8nOlkDCR 7eN7P/XLCF5nfHxCqGjlNOAn8S2CgBU3GxAJ3IWZ+hB+7sIoe7B8tnW1fZbSytUIGaPb AjEYTfAfowSBljbRZZmnDR5t+FT7d0kcdKoky8tiu/KOxTF3PzKf3t71vqqJJMQDbsCE v3eHwrRYflq+vHaGkEwJZMUfDNtm4LM42d5HWYjlnZRdo8RkM2niYPiF45LU8dflCgZ8 B8m7v0cR4DbJsoHrEjTkM4dV3PjYFV/of5vYpzCaxGBarEh6vIU3roOymz3HGZ5jvucB 2VxA==
X-Forwarded-Encrypted: i=1; AJvYcCVQE2Fr7QBmVn3G5ON6Rro+/gc8Y0u0v97G5kCZp7UIPxg0Un+wUDc2P0xrQUsmMdCRDS6PMmK0kBWx5V0=
X-Gm-Message-State: AOJu0YwF9vbt0UWxJPeY8ZNyO9I6i+hWvW9cwFvX1v07gkgnsaN7b44H YxRuj2+9XstpMuHvKl6egjfJHlgMAexgyV36xglCrRuR8ltuA7/B9Khv0FRFLWC5157T0QgXtjW FRWFtJBOKXd+qnziVGxscLfuIdxpsiPAu
X-Google-Smtp-Source: AGHT+IH9TPHCRDSEJaMbveDRvbIk9jS+ITn6QzG8d5Z4tTyDi5cRBqjmEsqDhxHxSuWj0Wx0C+ojOVozBF/Ng1WoNgY=
X-Received: by 2002:a05:6402:159b:b0:568:8e7c:8d8a with SMTP id ij27-20020a056402159b00b005688e7c8d8amr940805edb.41.1710446610051; Thu, 14 Mar 2024 13:03:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CAFR824ySu7+kA4a_3n9ytg6=3Ow-CPHR+dUJxYOhyh3wOnt1VQ@mail.gmail.com> <8ccc5807-d958-4d9d-8d8c-9b181f0fd708@nist.gov> <CAEEbLAbBB-BkjPWKw2DXJbTG8z4vdJ4sHiVd2Od+6tS0sGNThA@mail.gmail.com>
In-Reply-To: <CAEEbLAbBB-BkjPWKw2DXJbTG8z4vdJ4sHiVd2Od+6tS0sGNThA@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thu, 14 Mar 2024 16:03:16 -0400
Message-ID: <CAFR824y2jh=P267vqSPOE2gXZxgzFnasXzOvJ705GKgKL8MQjg@mail.gmail.com>
To: Sophie Schmieg <sschmieg@google.com>
Cc: "David A. Cooper" <david.cooper=40nist.gov@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000997bd10613a46298"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B1dG4fzjouSo1I1nhRKYaQv7Y3M>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:03:33 -0000
Good points. I've included these notes in the GitHub tracking issue, and will leave the document as-is for now. On Thu, Mar 14, 2024, 3:41 PM Sophie Schmieg <sschmieg@google.com> wrote: > There was a push to change the parsing logic for ML-KEM public keys to > never fail, by silently reducing, without changing the hash of the public > key. I am not sure if NIST ended up adopting that change for their final > standard (I hope they did, I think it's the best way to handle this > problem), which would mean that any appropriately sized binary string is a > valid ML-KEM public key. For ciphertexts, this property is already the > case, due to the compression that is applied in ML-KEM. If NIST > incorporated this change, there would be no way for the ML-KEM based key > agreement to fail explicitly, any failure would result in an implicit > rejection. > In the end, this seems to be the same as with elliptic curves as is as > well, point-not-on-curve checks can result in an explicit rejection of a > keyshare (for the curves where it can occur), and manipulation of the > keyshare (by an attacker or some accidental bit flip that somehow was not > caught) would result in an implicit rejection here as well, with server and > client computing a different shared secret. The only new possible error > path I see is due to random decryption failure of a KEM, but given the > cryptographically low chance, I'm not certain if this failure needs special > handling in any case, and shouldn't be treated the same as a corrupted key > share. After all, they are so unlikely that "cosmic rays flipped all the > right bits for QUIC error correction to not notice" is far more likely to > result in a decryption error, so treating it the same as a decryption > failure due to a corrupted ciphertext seems fine to me. > > On Thu, Mar 14, 2024 at 11:43 AM David A. Cooper <david.cooper= > 40nist.gov@dmarc.ietf.org> wrote: > >> I do not believe that "decode_error" would be the correct alert. As the >> text currently says: >> >> *Failures* Some post-quantum key exchange algorithms, including ML-KEM, >> have non-zero probability of failure, meaning two honest parties may derive >> different shared secrets. This would cause a handshake failure. ML-KEM has >> a cryptographically small failure rate; implementers should be aware of the >> potential of handshake failure. Clients can retry if a failure is >> encountered. >> >> At least in the case of ML-KEM, decapsulation failures are implicit. As >> noted in the text above, the parties would derive different shared secrets >> (but they wouldn't know it). So, the client would not know that >> decapsulation failed, it would just be unable to decrypt the encrypted >> extensions, certificate, etc. The client would have no way of knowing >> whether this happened because of an ML-KEM decapsulation failure (extremely >> unlikely) or because some data was changed in transit (much more likely). >> >> Given how small the ML-KEM decapsulation failure rate is (2^-139 or >> less), I wouldn't be surprised if random bit flips in transit that aren't >> caught by a CRC or other check are more likely than ML-KEM decapsulation >> failures. Since the two are indistinguishable to the client, the client >> would have to handle them in the same way. So, I would suggest either >> omitting this paragraph or just note that a decapsulation failure would be >> indistinguishable from a scenario in which some data was changed in >> transit, and so would be handled in the same way. >> >> On 3/13/24 7:08 PM, Deirdre Connolly wrote: >> >> 4. In the Discussion section (on github), does the portion on failures >>> need to contain more information about how a failure should be handled in >>> TLS? Should a decrypt_error alert be sent? >> >> >> Oh very good point, DH doesn't usually fail like this; either because of >> fundamental (incredibly unlikely) decapsulation failure rates, or just a >> bug, this is good to handle, and we should probably update -hybrid-design >> to match. I've tracked this in this GitHub issue >> <https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/issues/1> >> for now. For my own sake, here's the `decode_error` defintion from RFC >> 8446: >> >> decode_error: A message could not be decoded because some field was >> >> out of the specified range or the length of the message was >> >> incorrect. This alert is used for errors where the message does >> >> not conform to the formal protocol syntax. This alert should >> >> never be observed in communication between proper implementations, >> >> except when messages were corrupted in the network. >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > -- > > Sophie Schmieg | Information Security Engineer | ISE Crypto | > sschmieg@google.com > >
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Kris Kwiatkowski
- [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Andrey Jivsov
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Ilari Liusvaara
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Watson Ladd
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Orie Steele
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Bas Westerbaan
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Rob Sayre
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Salz, Rich
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Rebecca Guthrie
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Eric Rescorla
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Sofía Celi
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 David A. Cooper
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Bas Westerbaan
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Sophie Schmieg
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Stephen Farrell
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Watson Ladd
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Loganaden Velvindron
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL