Re: [TLS] ML-KEM key agreement for TLS 1.3
John Mattsson <john.mattsson@ericsson.com> Wed, 06 March 2024 15:57 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D9FC14F5FC for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 07:57:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DsQcWEI8FILo for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 07:57:15 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on2078.outbound.protection.outlook.com [40.107.14.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA453C14F5F5 for <tls@ietf.org>; Wed, 6 Mar 2024 07:57:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j62aouWXSJSOCNd8zRZ8ZpLW1y5lshRvh1FMrVa/SpjG0AcnEXaIxaRggSP0Qf+8DdjdFODZInDbraNDgcFJZSAW6rt6+WHx24qa6oO1ZlexzWnaa9GXVIt/TRQ3Eh2/2G6bqBLeJYFm60mvI1HNIQmGsClNw8XJl993TSkLDlRnh+surGOX/uxToCo3+pr4Vt3nt6XLYp/JZQGJ7V86eqTEPk15Bzgo/FWOfOeqEnhdrZkEyhth1QyANl2SCvDrLnZjd6w4v1ZC4ng68MKQzjDljLQ2uEak0DkN+Sb1p0f6mjRfYlrfd+rBdkupsdG2AOSlDp0UsDlIsz72YALxbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pMA7cg0H+K5+ARwlzhV22FOPmQleL86K48Oe6EEYt7o=; b=HUoFl+D3X0bVCft36auy9ysBa0CpOw7IUzU6NWL5NKp9QONnzwJGwAsZZniPK+6U6XHdSTN6zFx7RD6nyPRcbIGQa8nFRBQf+dvI5vfHnHggbEMXszrpjYjU2xqNjuRdgZfS0zzcBprgjkBKwnj6Jm9UCKFXphXWh1roIX7XoIJ4j9QLInxrXkYwy9As/tp2rrIF2MrcrkXBkZ/hIJFddDu4D+sw5JPivsJkmTei0kYEb8SM2d1QD6FeuIIHPjCnlBGbwSNSagsIlM0ErdhQpAlfxIn43556C9VSq/4Gvk6tkMiVTssPnk5Uq7lfdy4Vech08KFNY47jVTg7Fi1htQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pMA7cg0H+K5+ARwlzhV22FOPmQleL86K48Oe6EEYt7o=; b=DRK8YGuH4JuWCHE2RjBnBHvGUmo137Bh5qIwrFHDmZxVpzePOSCv6cSVbFYzpkOaQiFX3wdgazFn4KYdusYsDdQhDbQtBdqoAKrUCFyPe2dBEvv8bO3xR15FVcTmFo7q+Tcpl6QRvoppQ7ibItb7NtXD5QXcVK4d3z2wpnR4RMaYh25GxwyEJsw+8pgCLeRUjfNIjc9a+XtQVKZm4iy2AJ2KKPvHwg9PaOLB8rr3fS1wihYJmCgYf+7zupuQy7FTcSu6QovsIcvKdDThbyyZEGhalovWwsFdDy8AiDEcj1RorAs+RacU4cMCp3Tk42jp2Z6170kdsCSkbbV6pwjgQw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DU2PR07MB8378.eurprd07.prod.outlook.com (2603:10a6:10:2f1::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.24; Wed, 6 Mar 2024 15:57:10 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568%4]) with mapi id 15.20.7362.019; Wed, 6 Mar 2024 15:57:10 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] ML-KEM key agreement for TLS 1.3
Thread-Index: AQHab2xP6bmhLHgahEmpc1ddpuiwerEq0mgAgAAMjhc=
Date: Wed, 06 Mar 2024 15:57:10 +0000
Message-ID: <GVXPR07MB9678AF0ED73852BD960906EC89212@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <CABcZeBPFidzshG2ZM0+JKc73prvan4_FWTTr6r1byxAeXkkcOw@mail.gmail.com>
In-Reply-To: <CABcZeBPFidzshG2ZM0+JKc73prvan4_FWTTr6r1byxAeXkkcOw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DU2PR07MB8378:EE_
x-ms-office365-filtering-correlation-id: acaac719-d306-4d5d-5c56-08dc3df61528
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Dk6VkkSnpYFjToGPnbt1YTe0amCoo+cXcw8j5HIKw77pemQFEneYSsRp2AxPWaprATveXpyIOzTeu8uz+PFqtPIy+ZYspzfy/qZeswFEpbsb4YK/xovQg+l0VJ3/qc4yYf2qRhmKT2bjj/UKHEOalKFjTkjzpp2na4MeL3N/dJCHcUFLDUnDpTq0KmKKSSrIRFUHqJAEhkx6d6KVnhP7mVqiMq7VMC9lSXpaWQcpT5KBh3e/I1LBTumOwhWuj6YlnjxrWEA9PDSKVNMI5jz2qhnv+oCTFR543G7qn23rvtUHp9XKb4XVPwo4qBU3ZMS+22I6izsahJZN1TMSObP0kroA5HV9f385v9kuGaOvZUFeXFWmhNQJBZTuYO7cjl19kt+zw3rA+2ttoXupgnBXIks6XWLd4jMoviA9n/ykuWn1WBTuv0iuEYJEEudBoV5OMSVgFFC8x/LGLWYPcpI6mur2RW6Qixcj6ccn6OGdGVi5uOvsCs/rF03gDm7uKSQOYGUBGNf4IIZQspsjG5JfEqTTQw0tMJ1bU2+i5dQiuygy8h+B4Mpe2kjoNk5aNp5m8M+jctjAgz+4ToUXV95RC/2WBJC9Diab61hF2mgJKzdbluA06IxCUoNCbrZMTFK948L3MtfXkfSkiWFcGK850dBWEoP09OloHqIhTreTOOA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cTQng4GUqmqb6QX4Vier9FR6nST67tCkZxriPB8Z5bOuMYKKyx7SqLCko1z2TnLMSipocls3mIqcmjnQVj/BanJLKvxUn/BLr4VnIx/Y5MOH1v0HhwJbJ14tFm76jURB4CiRdIbjDoSkUUsDwzwwC97jiPwpQH/M7gHnwUrRlMBrIgUxaXPmWflaaHwO9m/2nI6wb0ekzgvb90kP0I912J9A7+C5+gNjpCd9FL3U6oL9Mt3zIG9IAg6ODLd9JWe/bjfs+hbA6dlfzgkbIljy2uxDGL/hOJ+7VDgBEen0cp+g0/wKMe4WhGWy5yuR3v2DMV8+RLr387P7wOp6nzO7dzBFBKCOGyvK4XEhiFsf26/YKZUVQaqVDfSnPrwXFk0U/FHs1190CjhrZQDvdWT7DaJjqhqjCmPGMJ0HlZAq2DNLrZVPyyMT65zDeBqlaM1FElDAZW57S9msLuWr2l1DRiRfoO1l8ywRyGGPlDrgFOZH1J52caEZqeK8uz0APjb7yGy4xvp/gvOr5y0rP64rpnRX3vfXsVy5FuxvT9XvgZTWxMLjjV5Zp/vznh4lj4Fu0hdD879NOzCMJkW41GxoYRuy7lJ6iZo5fGH37C16n4KfIwB1l1TrfwivTwpvUiXa2kB7F4COwUtj9C7N0hEu8wexufaGIS7lEmkLYBuADVSQLVN2iFP6VoM9TA35JVbGEH0K0xYPise/STOsWSiwgNSK3/dM2HbsgujVnvS3YLrzjM3DVjm/LhttUmudE0vrfPO3/j7XOFdDu1Ev5oKqVRwJvAkVH/axH2Lmm9MTOqvM/VrbIRrAkitbdKUkgUqxlYbWerKl4R9XbtBdmr+y7Y7PHzf2cHVOwjCII5eu3E1spVaQxSiF+nDXiIIVfkzgMBsQfJM1oboVAOVLRCrNlgx2CVjfoJZPueJp7fcOcsyx11+V9P6BUM4SD8mtjTCshFQ33S0BupMDelN/Ok9yXwjDKJmZd1O9iEMi5g1qPyDNgSxYSI2bVxkDwsiCU8dZ8FKvfDHUipUqmf8pGNF2mUCQmeb4LysNiqoHnAwCb03jr4NPHyxDHgHs+ZTan+rz6vWC4C942cw8MagYwdORmU+6oYTwM/y/clY88oDZi+JXDfWd76w80wxihVh/wt2rin++MEX3QJg7A0c7eMIhHaF9Xte/3UYDYCk32S1eKp5DrXgMqUkl/mpSM8eMXxK5oho93zcEpsWqeWMW0clWvby/MSD94cO2+OiDyRhFHPY+TLDWIsH4nr1D1oJJlC/cThLg5zqn2BdkOf3vj4ZLFpfb90sLjO8SMQ7pegczs1H3rQNJ/+y9u6FNV9kfxdMnvbBj7nPSUDz+8ALr4ao+LkvaR0Fi1+hXChiXYIriNVIa2sk/sILVgflWXFZqeApRay8LiLMzBCH+cKXeYaX/TIrWX4uOkZxl2svvjrNrInC+QrzJh8LIOGI/NU5XcuwdWaMvdJJCbCpIe4eEZAM3BUlFJMlbzjOoSLma/073I1yYHO5zCnUKFDVMlbVF0D6qaVRXJ/OCJDsCpE6VExC0wHiDs7I+ZLQkqX9G2Qu93Fg0WERDeg/zaI5vckV5+FRE3dsb/zcJQXN2LY0ii9lcFUIiN4+J28MGY8demIrrTYA=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678AF0ED73852BD960906EC89212GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: acaac719-d306-4d5d-5c56-08dc3df61528
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2024 15:57:10.5397 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 46t7YeyFgBlkoZh26LhgJrvBOX3Bt8E6IlCXHb/P8RvQ9LNssx0IKBl0Fq2wxoDiddPXl5oIH95EY9Nu8R47NEE8i808OVEXy9LmDfCTiow=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR07MB8378
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C89x3SyP0mP8dg6QtRhBY5watm4>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 15:57:19 -0000
Thanks Deirdre, I would like to use hybrid but I strongly believe that registering things as standalone NamedGroups and then let TLS negotiate which combinations to use is the right one long-term. This is the approch chosen be IKEv2. - As EKR pointed out the word "fully" would need explanation. - We align with [hybrid] except that instead of joining ECDH options with a KEM, we just have the KEM as a NamedGroup. I don't understand. We align with hybrid by not being hybrid? - encapsulated shared secret ciphertext Maybe shared secret encapsulated in the ciphertext? Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com> Date: Wednesday, 6 March 2024 at 16:12 To: Deirdre Connolly <durumcrustulum@gmail.com> Cc: TLS@ietf.org <tls@ietf.org> Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre, thanks for submitting this. Can you say what the motivation is for being "fully post-quantum" rather than hybrid? Thanks, -Ekr On Tue, Mar 5, 2024 at 6:16 PM Deirdre Connolly <durumcrustulum@gmail.com<mailto:durumcrustulum@gmail.com>> wrote: I have uploaded a preliminary version of ML-KEM for TLS 1.3<https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/> and have a more fleshed out<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-864093ca9ffba626&q=1&e=c11b4b5f-f194-49c4-a720-c34e25cc52c2&u=https%3A%2F%2Fgithub.com%2Fdconnolly%2Fdraft-tls-mlkem-key-agreement> version to be uploaded when datatracker opens. It is a straightforward new `NamedGroup` to support key agreement via ML-KEM-768 or ML-KEM-1024, in a very similar style to -hybrid-design<https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/>. It will be nice to have pure-PQ options (that are FIPS / CNSA 2.0 compatible) ready to go when users are ready to use them. Cheers, Deirdre _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Kris Kwiatkowski
- [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Andrey Jivsov
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Ilari Liusvaara
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Watson Ladd
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Orie Steele
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Bas Westerbaan
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Rob Sayre
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Salz, Rich
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Rebecca Guthrie
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Eric Rescorla
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Sofía Celi
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 David A. Cooper
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Bas Westerbaan
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Sophie Schmieg
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Stephen Farrell
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Watson Ladd
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Loganaden Velvindron
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL