[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
Peter C <Peter.C@ncsc.gov.uk> Mon, 10 March 2025 10:54 UTC
Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CDB2498669E for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 03:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -3.09
X-Spam-Level:
X-Spam-Status: No, score=-3.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.551, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JM3wVrwbLo7 for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 03:54:22 -0700 (PDT)
Received: from LO0P265CU003.outbound.protection.outlook.com (mail-uksouthazon11012028.outbound.protection.outlook.com [52.101.96.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E6F1E986691 for <tls@ietf.org>; Mon, 10 Mar 2025 03:54:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=V5nqdvYF7zCANkEFaLFiXkXL+N6L2y74gXYrFSx2OkrAfdpukJkPmLaSZeUOkCfjvPXjBL4UTTSxQ3HKfauQ2yJvjQWSHLA/heDvRpdhRuumCoshvnz9uKzG1WTwm3NU1+YAGsBb77GyvWveQq/cCYKt4S0ugCFYGpT71PhrsQl5/o14r4cpjFwQoJ2fVY2Ke5evBEoObV0eAg6++aWXhfNtDSjv3bXwhVv4B+QfyJUXvfGbnq8OBVsHHkeaB+vYrgJV15TVgAKZ3Gs+IXXWzxqTjY/wsA83bJsEXVsZJ+E9jSbzF6ofAkra5hRSTMSmt7aVQaG5elSxOsBr3ZaIkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EGRR8CMS4iEuUvd07V2ydquqp1amgQw9DjKMFQf30Aw=; b=xR+Uq0EHm4iVKZHrOjAjGvXbSTLPzyulyGPpRVAo2v4XSG4YHjYHHJqi/UsYqp41zyXlC6q4BhAinih53j1STZWo3s0I5CzEgRMSMKDQKxrOR5HJwYWfmbHBcyesf/nKhR9fSOURE+q8bew0W2Bp1jGpKtUUehclyrsbqTPAvQcB/Uqvn8C2vhPb+DAd3Hc7bGH3MTJ8c3drnTxeZjLypoKXXwWpwXWzQIBD+LOuwHeUDzpKWNjNcWI8cap7wFVXIcz8QIZeNlCbz+1S3LqVhK2nmxb+1uIKaX3yTnd5SR4OCWU0sJ85m1eV1KSTXdK2D8yHcJXxXXfcx/elRzrbCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EGRR8CMS4iEuUvd07V2ydquqp1amgQw9DjKMFQf30Aw=; b=E+s1ZmIhd7rpbswKKmhmnrX/AxNpzzHTapjbtLZl5EBQApTmCi1aaCacNGcXR73vGkxWK+mx4VWKTpU4qKlcsQ2kKtoaWV8lqMh5rPybqISRnFCqPO/LEYPaXp0WKrXsaNQL9KoQaLWyzh7DihJIWi+/LJQW6D68AuCUsxhedDT6XF9z+eHbZ6bSRT+pPTCReoe5L9ArvX+kf70wQ7xS8095ikQZWb6wd5yXvu4og4krlaMlSY1IhGgh787qcCGZ7wRsoJndfooofILb4XI9OzrVBM44vIQgARkS6DkSPdpZQ30sEgrqEI1pIq0o/ZM+L7z1T/Auv6d+5SBeWwxKjA==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by LO0P123MB6863.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:30c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.26; Mon, 10 Mar 2025 10:54:16 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%4]) with mapi id 15.20.8511.023; Mon, 10 Mar 2025 10:54:16 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
Thread-Index: AQHbkO2ehAcnOcvdxk63BWeYOC61mrNqz28AgACheQCAABkFgIAApdRA
Date: Mon, 10 Mar 2025 10:54:16 +0000
Message-ID: <LO2P123MB70510AFFBB46844E256C0A06BCD62@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
References: <Z82aAuvLY1tiDxbQ@chardros.imrryr.org> <20250309231710.335050.qmail@cr.yp.to> <Z842c12hY9LNOd8J@chardros.imrryr.org>
In-Reply-To: <Z842c12hY9LNOd8J@chardros.imrryr.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|LO0P123MB6863:EE_
x-ms-office365-filtering-correlation-id: f4b85b56-87bf-4b8f-62c6-08dd5fc1e71e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|376014|1800799024|366016|7053199007|38070700018;
x-microsoft-antispam-message-info: W3UFX3K8brxPT927edE+YJS6chuiHb4DYX53jDB1DWPVgAbEXzifsLzuCvafk79wvvJqqLT0cAm0clqEQNuATFlujicrBZaT5Z536sDWLmaasMjigmUmaql/BkbtaM4tMdKU5MsVJxbD2ghfCp8k9uQ9lrz1KjF3GinoueOBAbG6a2Zvo//rc+BW7RwNbiButKFOS3F9Fke9LEDAcdGXsUAdYuZglU5L+gca+wJiF9NEPF+1mToM6pn+8fn693o/qFKEN+XEF04ZZa8ZNtfIs0GvX7h4I0WpCEEShf3+NPkOwBl5e/8vjpAconHyz4+Y8ub0CneK7VRqLXNJx2xUjEr7yq50s+js1fJY1ghbUyGhe7cdTL9b3s9Z2CGBONx+tDwDb+lQ0TKP402hEw1/WrdhqTLOxIpFsvjCcL3BUL2NHhoEYgU1ht+BpzBhrdKyS0dISBLGOghcuVFljXjaXqu8iEqLqVqeVCYSosnrcT1UvDFwz9g+FNCWYcHG04SQJGvJ98WR7uJNuiLvhlTYwpX7PuT3+M0EwAEWsi4ZrhGcg0xwBSEV4YcoPAz5A6n1K0QDKr+8yiK550K5/mKbAX17YuM/WNZD8a1anXGlX14rTcDnf7uWWivcO+tEJm0yKcs+GZbOWNLCL/GJ1ImxtwSg1XQlgA7T292Jh228ikyhsasRpWYpF1Rwc1Bgo2c0ifS7tY4LVsEbRFwc+s1c7HDk4/dSb/mlIN2wr351mbX97SIvU5ByELT1B/mMLqVNidBCG1cXLf6qjfvS6UIaaJNiS0nwRYIJa+vA7SGL+GBPvXQcqdSbczfNHibej63URqfH511Apftll1eGg3xPbXN6OPgIZwixr4Zb0Nqjo26eUOmvVhPclXxWRrnqL+JNVxRvYALQ10pZ62xaxJvdhO/0P8gwNI82WuYOI3qsP7mQ9mhf6odDlSt5v1s2FBoxNXTXSiz1fIBZK6Y9AowpDNah8zDCJdrXCbzU+bzBL7O9aqrUZvCPoswTzVPaZnO0J/82GnDW6eXSD6cAVHWfUJ9xSPGMg+pjwUNxUA+BnV5yGdTcqUORVkyrn+s/ueezoOuyrFFelRdES9M/8lKIQ87OF0lOWRTyde+AxcsRzOxWP7uaOArUWFFuqOQFl+dQZuJTsVeQkVH8aBxXJwiEEGt7w5xgnGvwPtdr6V4gFoTieuhJPcShTiIbPmrQXJYsxOGn/ztfSFuf0dZISR6RaFGe1EDMsPIIpWtJOJkZM0R/Ebgju2VCd7XBABSSYjcwfl/IBKnvL29j4FfRQ5fLYtjvyZto/9bCNRk6ZCNIdbWtfSiGU3TRHUX73gu56i23aRzJmNt2ZEkmbXWFfkDXDkhWNrFL6BaCFpjIvXhXhZ2wEt7a/8U67R9dh+qkAIuAQfQQ/IoE6zb1JRkSHbe1nvvHoEhRDNpzxO26UTw7jLDk7iE9oqgcg/279iFO2Zou
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(376014)(1800799024)(366016)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0gvPuO8Js1EcfA6TQ0eGN5xnIiHo2/jhs5EowH25yAhZfibtiPzhCK9A+K6y7heCZ8EBzc3qlfVwz9Hep8cChzFpGSyu8D8QJ1pIivyqdMi5ofgrZUgrYEF8KX6S1bJQ3sI0I6cP/bHWcKnMNDxIscVvmg4lkOsrKUlThtY+sgBfB3g2er9V++1og+S6Tb2MKcOKjHmcUGtndIdIrhPkmSsWa/TgSNcrwz+qX0bLVNizdTvqDoyDCW5Xk+TMn19fwezY782gFhCPOgcz1rg51M70xc9SUic6TS4N1IHLmcsSdmnfBHEWBZ+ZrkDFdSNq1c1VsjWlkH8LWKq0IvzeSvuMpwzPaXEQgdf+3R9dhDfX5r72v3INTu5rDij8fCdz9l0SgzKw06z/y94CUGUbpWiiP/SmoSngU8aiOmNTKeqWHlwPt7PxGUHELqhUIOiLHpLvq0IENr0spi47GcEhHk5oqsN0bI2y/xrW8DbxQM4z0ANfKBFdeDUyLPnarYxzYMGH7O4A0HASK6ZpClb94U84pmdQJiQKZQaEbDaWhB5lQel3VCRtsje7Ee8gIKFMC3Bu4D/gewm74cq3oJ/7ogdzQdUZ2NrVtdF+6MG9RIN7QbrBLaR/ASKEtqgp1gBZrY2538gUN5g6vzW2d/cUfGbZQ3EFAbpy6QT9AhG7S9Uak9H1APsvCltYnMJ5y2cvIYDg3ZSmTKW4BDTxJewbEQRUAYJdc2/ubcHxX5nCz2Zi3ivtWiv4uD+n93f6+ee1bCQ6L1/2ZSsvBxyUpXRgeVddjGL1e5k8+gMTCzlthlVc/aQZBEtCpn5YsgN0Www2zY6yHgg1bcxqJ/i1a27IXH0cBcwx0nTrdz83AyWtwkNY3fU3J1bdvjHfXQkILIK5zdseVKaWdjOPKd4JwuGWMF4ZtPbrecKbuiNAPnvZ4mAYNsenc+NI6ppvfBE1flieYHOJuWuwyByfbILWTSlNAxjoJN2V7ZkOrwgaKLQurk/lzdukw3UeoHOfFZKfhH6Vy4D3jiRdtONwKrbFSIK/j2K6wmyfgKYa5luupgiDNsfHG7iXFME6zj23ROKEtdq6wJYLkU6ZZooENRfFspjLdHQG5ij7sGZLt7VT+5ScKyOB4sE03ToIHYNrmPjr32s/10V6KB0kQsPdOgCx6ZDtECYMyk36/wd6JmBRqfAjQq7kEOUSolOIhHoQfeJiFX5FSMVoaA2v+JJbQeMr8cLIN6EmHd/t2ov1YjnXP2VR1waZGiHT3cO3P35z8x1X9/ge+kiqUeNSRVQ6OLMZCyAT9ALBlGcf2QfZY+ZagaYEZsEtceRUZeaFX6hiFdF4ldSFuxsJxhSOD3xi1ZhDtHtiBn2xRmtRcpjrLHSGDlZeaxwNHj5PrJjYKVOqb69zxJu+eTXFn9DrrQCX9SfYqtKOnN7nlCzf3p0F7TH5b23CfHF+6wwc8ZmTN41Uq0Ui9slYAADYPWeozmpRr2silcyWId6gTXn7YUU+c2T9z7bJAWMyux7d5Z8XdVphqXmTTp6M3JUv1mEzJN0iKsL93JSu3BNBFg3535xn+6y4ihOSnwFw/TWJRKs63RbxCu7zt/OL
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f4b85b56-87bf-4b8f-62c6-08dd5fc1e71e
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2025 10:54:16.6905 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lUQDAeMhaq6JetdrckShz5IHgGrjTHfJkar8+xwdkm7dyjKL/8bQc1NZ4qgAZqmYLh9FAJDDPfa8Ok+pPI1Yqg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO0P123MB6863
Message-ID-Hash: EAPJIJVFVDBZVAEOPZWLCZN7LNUKMLLA
X-Message-ID-Hash: EAPJIJVFVDBZVAEOPZWLCZN7LNUKMLLA
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BjkSceX88Sx8QeVZCwFKdGLQMhw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
In ML-KEM, Bob derives b deterministically from m and H(ek). If Bob tried to reuse b with a different public key, then the re-encryption check would fail during decapsulation. Peter > -----Original Message----- > From: Viktor Dukhovni <ietf-dane@dukhovni.org> > Sent: 10 March 2025 00:47 > To: tls@ietf.org > Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt > > On Sun, Mar 09, 2025 at 11:17:10PM -0000, D. J. Bernstein wrote: > > > Viktor Dukhovni writes: > > > However, you'll be thrilled to learn that it is not possible for a TLS > > > server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral > > > ML-KEM keyshare. > > > > "Not possible"? > > > > In ECDH, or more precisely ElGamal encrypton: Alice sends A = aG; Bob > > sends B = bG and C = bA+M; Alice recovers M as C-aB. > > > > In Kyber, Alice sends G and A = aG+e; Bob sends B = Gb+d and C = Ab+M+c; > > Alice recovers M by rounding C-aB. > > > > Bob can save time by reusing b. The speedup isn't as big as in the ECDH > > context if Alice chooses fresh G and A, but there's still _some_ > > savings, notably the time to prepare b for multiplication. > > > > I'm not saying that this is safe. I'm saying that it's what will happen > > if Bob is looking for the best speed that interoperates. It can also > > happen by accident, of course. > > I'd expect such designs to be quite unlikely, because in constrast with > static DH keys, there is no notion of "ŷ" as a static ML-KEM key. Also, > the APIs are not structured to support ŷ as an input to either > ML-KEM.Encaps(ek), or the derandomised ML-KEM.Encaps_internal(ek, 𝑚). > > One might also hypothetically use a constant "𝑚", compromising the > derived shared key: (𝐾, 𝑟) ← G(𝑚 ‖ H(ek)). > > I think the concern here is what "plasibly mainstream" implementations > are likely to do, where some reuse of client ephemeral keys can be > expected, but reuse of ŷ does not look particularly plausible. > > -- > Viktor. > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] FW: I-D Action: draft-kwiatkowski-tls-ecdhe… John Mattsson
- [TLS] Re: I-D Action: draft-kwiatkowski-tls-ecdhe… Salz, Rich
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Viktor Dukhovni
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… John Mattsson
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Viktor Dukhovni
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… John Mattsson
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Viktor Dukhovni
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Salz, Rich
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… D. J. Bernstein
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Viktor Dukhovni
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Peter C
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Viktor Dukhovni
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… Dang, Quynh H. (Fed)
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… D. J. Bernstein
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… John Mattsson
- [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-e… D. J. Bernstein
- [TLS] Re: I-D Action: draft-kwiatkowski-tls-ecdhe… Kris Kwiatkowski
- [TLS] Re: I-D Action: draft-kwiatkowski-tls-ecdhe… Viktor Dukhovni
- [TLS] Re: I-D Action: draft-kwiatkowski-tls-ecdhe… Filippo Valsorda
- [TLS] Re: I-D Action: draft-kwiatkowski-tls-ecdhe… Eric Rescorla
- [TLS] Re: I-D Action: draft-kwiatkowski-tls-ecdhe… Bas Westerbaan