Re: [TLS] A suggestion for handling large key shares
Bas Westerbaan <bas@cloudflare.com> Tue, 19 March 2024 07:41 UTC
Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E975CC14F600 for <tls@ietfa.amsl.com>; Tue, 19 Mar 2024 00:41:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EwiKSGpmhRd for <tls@ietfa.amsl.com>; Tue, 19 Mar 2024 00:41:05 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04E7FC14F610 for <tls@ietf.org>; Tue, 19 Mar 2024 00:41:05 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-568a53d2ce0so6186267a12.0 for <tls@ietf.org>; Tue, 19 Mar 2024 00:41:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1710834063; x=1711438863; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=K+W8lbC6cVpJH1QFNSxgIZpOOo6GOo9Ng4PKOlPj0HQ=; b=NsNKXdZIjDCM6zjT/iWEYMvdXr3n0oDdZqRO3nPxZFFIihVxd6pUnhgiINxFq2OYsl /LI1eBRvuoXY6ezv0+sItksYYyPcd2hRbCkyuoW1MgmPM1iFG9CfwlVzeoSdNodS2qk4 IRyqdTPn9KYqq6HAizRVI8ihB5CIWpRnXzPy6Mnw6EdhWMA7Gv7YVZdqdEwWEcoq2IIT hm0WOSJiTukyDoyPwBE7k2n3G9LoVg9dXRkInRXz5eJJV+HuqmX63xirtOhdX2eJxtPp sUELPZdubKJJ3D+WdSdgTwzNLtXTDyN/O0gAF/5IESKKGOkJ34E6Q4m5XKSX/0PwnqjS g4jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710834063; x=1711438863; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=K+W8lbC6cVpJH1QFNSxgIZpOOo6GOo9Ng4PKOlPj0HQ=; b=ry5MDLGlKN39FHbYkkY8S+agUNa2pKzMNi+Sq8sqayrwVDuQVamUURBzvqP7J9417/ b9pBiqhFbybd90mnwO1SfsRvVb8y5Fn7YWOHfjyVyEezd/i7QiOe/sbqhyONdzzEJHBF tbi9iUqePbP8YY53IvHaathm5CJwD+QmG4MuCH6YDY7oCAnqYws1tnXsIiH5RLWDHCDE Co9aIH2hDj0ypS+RMswqyqmUUFIzRkis65sQKKdrEjqmrEAWxQHza2Gz9lyvdyw1qYYH uep1kr/IpjgFy6Al6brlaqUmmQ79zf5YKMb8OuWAkdfWplwTIWFcuDmPPiFZvyl9endW hsww==
X-Gm-Message-State: AOJu0YwINZAguZLu40tFzQAIhoMY5VlQxIRARcZsrjQkbUicj7UuNM7u GRdTZp6hCwKClvOQKlCT/yfAx3BM+7ARYSYmxE5eUc8fG1qjVejLn6Jua6ztO3P2EGUULm0yPiY Z6CDSmt4ugsReSr53Xx/vEKucVcJAqkHVC8zUA31xjKB7wOX55hgCQzqP
X-Google-Smtp-Source: AGHT+IEoCvO20rrgohJu79J+8N2PF2hSKYs8yeRU/U2A939EDCLs+wYTI1v8fSwJiCDrG89dWZPTp//Aq4ZGbAfWb6s=
X-Received: by 2002:a17:906:aed8:b0:a46:2885:5bdb with SMTP id me24-20020a170906aed800b00a4628855bdbmr8835189ejb.5.1710834062990; Tue, 19 Mar 2024 00:41:02 -0700 (PDT)
MIME-Version: 1.0
References: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 19 Mar 2024 08:40:51 +0100
Message-ID: <CAMjbhoVyFgPKR6wJHGVoVszo=29STk_Hi5w++Xv94FuXdwxnoQ@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000098f2a90613fe98d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GD1iCldxyJK788wOPcz9xXaNkg4>
Subject: Re: [TLS] A suggestion for handling large key shares
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 07:41:09 -0000
Hi Scott, I generally agree with David, in particular that the keyshare prediction draft is the way forward. There is a different use-case for your mechanism, which you didn't mention: it's less likely to trip over buggy servers / middleboxes. We use it as the default mechanism to talk to our customer's origins. https://blog.cloudflare.com/post-quantum-to-origins Thanks to Chrome's efforts, for browsers, we luckily don't need to use this slower mechanism. One inline comments down below. Best, Bas On Tue, Mar 19, 2024 at 5:47 AM Scott Fluhrer (sfluhrer) <sfluhrer= 40cisco.com@dmarc.ietf.org> wrote: > Recently, Matt Campagna emailed the hybrid KEM group (Douglas, Shay and > me) about a suggestion about one way to potentially improve the performance > (in the ‘the server hasn’t upgraded yet’ case), and asked if we should add > that suggestion to our draft. It occurs to me that this suggestion is > equally applicable to the pure ML-KEM draft (and future PQ drafts as well); > hence putting it in our draft might not be the right spot. > > > > Here’s the core idea (Matt’s original scenario was more complicated): > > > > - Suppose we have a client that supports both P-256 and P256+ML-KEM. > What the client does is send a key share for P-256, and also indicate > support for P256+ML-KEM. Because we’re including only the P256 key share, > the client hello is short > - If the server supports only P256, it accepts it, and life goes on as > normal. > - If the server supports P256+ML-KEM, what Matt suggested is that, > instead of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM. > We then continue as expected and end up negotiating things in 2 round trips. > > > > Hence, the non-upgraded scenario has no performance hit; the upgraded > scenario does (because of the second round trip), but we’re transmitting > more data anyways > The roundtrip is quite a bit more costly than the extra kilobyte of upload with respect to latency. > (and the client could, if it communicates with the server again, lead off > with the proposal that was accepted last time). > > > > Matt’s suggestion was that this should be a SHOULD in our draft. > > > > My questions to you: a) do you agree with this suggestion, and b) if so, > where should this SHOULD live? Should it be in our draft? The ML-KEM > draft as well (assuming there is one, and it’s not just a codepoint > assignment)? Another RFC about how to handle large key shares in general > (sounds like overkill to me, unless we have other things to put in that > RFC)? > > > > Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] A suggestion for handling large key shares Scott Fluhrer (sfluhrer)
- Re: [TLS] A suggestion for handling large key sha… David Benjamin
- Re: [TLS] A suggestion for handling large key sha… tirumal reddy
- Re: [TLS] A suggestion for handling large key sha… Bas Westerbaan
- Re: [TLS] A suggestion for handling large key sha… Kampanakis, Panos
- Re: [TLS] A suggestion for handling large key sha… Rob Sayre
- Re: [TLS] A suggestion for handling large key sha… David Benjamin
- Re: [TLS] A suggestion for handling large key sha… Kampanakis, Panos