IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Bas Westerbaan <bas@cloudflare.com> Mon, 06 November 2023 12:14 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9364C1D470B for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 04:14:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NeiZlmJVNLFu for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 04:14:38 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA7FBC151090 for <tls@ietf.org>; Mon, 6 Nov 2023 04:14:14 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-9c41e95efcbso634063966b.3 for <tls@ietf.org>; Mon, 06 Nov 2023 04:14:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1699272853; x=1699877653; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1aZeHDNgzHfNXRoai0I5aELa464L2g+qOgDI+Au1pDM=; b=XtF7zcECew4j4O9eNtzBB+VL8yfVY8L2B7mubs4rPlNgcJ/DaYay6gHRwTdLVm7wpM Y7HxhYWBVP4aQ6OtyVON5lQYJJaHp+l9YTQYwCfAiGlbI+PGc2hjQARrEEOEou0Ue6i6 JYa9BQ2EUfKQIDt1OoBb4Ub1aHj7oiNNMOQhp+b/R1IRnR3Ya6wZw/HQT/Qa4AO9QI6m SBEIheEKhTD9WFf14WK/77S+P6aj4Vc855gq7rQY61z29Lw8PJhaYnEFDNwy6f1rKNoM aT13KVqEZmQc7krUZCA8n1FboFOCH8Vsxavj+gbbYVZM1PGLlp3dHGwSAl39BAaswRLf g1QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699272853; x=1699877653; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1aZeHDNgzHfNXRoai0I5aELa464L2g+qOgDI+Au1pDM=; b=UH4Vif+kHywf4cX7MIXPXQ+WHNWkokAth+3Jme+vbL6A4ZnaMsFHjk11M6Voy8tC1X yZyClE/HMTEYGU5+ayH/UVdJchrAavl8OLogtCHW3iBDdK7j/ebn9hJQDztEVC0uiOtw oyMkokhO32keATPb3ogP+TIbHNLbgn6MC7i9HyTqx7xeTWelHKUY4wQs2jiKBJZzTIcC DFso/l4F2oiu6PJhUQsP0aF53Xcc1mtbH4yMqT7OA3lKVRtIdpkd+aUHsWWnrl1pQrxO 43ZjBSs3NoCWDbD06GP1v9slhJTP5waD70j/bG7BMu0ebQKIfeK58xyR6G+ZNkBLAyOu hQxw==
X-Gm-Message-State: AOJu0Yzej1rDGIgR/onvwdnVXih0hgFdQEtrlCVp7FdufCV16sYCbcel pe0HRAlgVck3mWQIrRFHimGoF0iJRluleFdrbUM+SzBHL0A8Z82uA33Amw==
X-Google-Smtp-Source: AGHT+IExe71kflPMkYy0xRsVgKn807OuSpT1MQlRZQsNkUhYNFS/EoY2m3V2Y5MinLAK0+cJu/hLDWXndPWbdsXKGvs=
X-Received: by 2002:a17:907:3f0d:b0:9ae:6a8b:f8aa with SMTP id hq13-20020a1709073f0d00b009ae6a8bf8aamr15693617ejc.26.1699272853288; Mon, 06 Nov 2023 04:14:13 -0800 (PST)
MIME-Version: 1.0
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com> <SN7PR14MB64928D0240F21868FEBB951683AAA@SN7PR14MB6492.namprd14.prod.outlook.com>
In-Reply-To: <SN7PR14MB64928D0240F21868FEBB951683AAA@SN7PR14MB6492.namprd14.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Mon, 06 Nov 2023 13:14:02 +0100
Message-ID: <CAMjbhoUmVdezZbziArzYR9xbKVd3Ld-xcbhz20WB=qPjqKVhQQ@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
Cc: John Mattsson <john.mattsson@ericsson.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc69fb06097aca36"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EUWEvuT24k_qGjc33H6SKYYvRv0>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 12:14:42 -0000

> (3)-(5) are exactly the hard problems I’ve been thinking a lot about
> lately.  I’d actually be tempted to say that AuthKEM vs signatures is
> something we should figure out ASAP.  I read AuthKEM again this morning,
> and it has a lot of attractive features, but I’m not quite sure what the
> right answer is yet.
>

I don't think we can settle the future of PQ authentication in TLS just yet
— there are still many unknowns. To name a few:

1. What signature schemes are on the horizon? MAYO [1] from the NIST
signatures on-ramp would be great, if it doesn't turn out to be broken.

2. How will the confidence in existing schemes develop? AuthKEM will look
different depending on whether it can use Kyber-512 or Kyber-1024. Also,
will it replace Dilithium5 or Dilithium2?

3. What other higher level changes is the ecosystem able to adopt? For
instance Merkle Tree Certs [2].

These are all hard questions, and although I do not believe we can answer
them now, we should be thinking about them right now. I think we should
have different pots on the fire, so to say.

Best,

 Bas

[1] https://pqmayo.org/params-times/
[2] https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/

v2.23.0 | Report a Bug | By Email