IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Thom Wiggers <thom@thomwiggers.nl> Mon, 06 November 2023 13:32 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF4FC1FB89F for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 05:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6XALWEvIAqT for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 05:32:29 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48186C09C202 for <tls@ietf.org>; Mon, 6 Nov 2023 05:32:29 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-99357737980so669574566b.2 for <tls@ietf.org>; Mon, 06 Nov 2023 05:32:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1699277547; x=1699882347; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=xmNaD4bpUZSxlWvu8RGYsPzB7S3HWijsn7kUVy3oGvI=; b=M85pfqqzEtdk9ZKhX8LQH3h4Ua6OlIZpP5QL7+mggQqRPTYEQe296t1t6vXv5ywU/H P9OCx1GXHB0ylo1/a4GASZwER8XVL21skY+K5L3vHxI/wsgxjSAO8viXA5LWKRcXa24Z ElXEXIago5FTvfzU/HAD8LMzPn66wfun5/OTY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699277547; x=1699882347; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xmNaD4bpUZSxlWvu8RGYsPzB7S3HWijsn7kUVy3oGvI=; b=kbjILk4ig+tKhZH34K1U4IIcWEjBrdCoIpwHofUh+DjFJ1Bgh+xTmuZKX5PgnfpX8S vqcxeF3RHnYqG0zoCz6aifQPwXOaagHcPJKqe2pOGP/p7MjdydM8dO1KCRc5/jrvfP+V 97nNdFBHafoufVZ4KEVh0XII9JVFzOe6gMqFkxsYxxbcj1cYHDFcA3Ygv4HGt8fz2hZl At5cs1MiQDc8IAkUpzQM9Ixum7Ia5ZIoSbyYzuh9nWVvssdvGiURuzgHZaH//QuQSw22 jBYe6Dcja/9QvZuf48pxV/n6bFm+Umt498qXi237FHwXciheRXSZpOBSGHVLP2JoI9of GOAg==
X-Gm-Message-State: AOJu0YxeZzGDhIREfzlIRLJu4IyKUQP5f/p/ktV2J5METXGxyf/FxOKQ 8UUpiyRVsLGxVn4CBK5C6LD3xbKhwWEFy2XKijfJ6A==
X-Google-Smtp-Source: AGHT+IGyN0KvbkfCYpIF6UA8jnLB9s0lBslIncs9DowylKye2nyNXnfbgkdeSmXfeev3QKUlbjqYuA==
X-Received: by 2002:a17:907:9815:b0:9b2:b152:b0f2 with SMTP id ji21-20020a170907981500b009b2b152b0f2mr14368535ejc.10.1699277547303; Mon, 06 Nov 2023 05:32:27 -0800 (PST)
Received: from smtpclient.apple (2a02-a461-ea84-0-482f-63bd-5e5-438d.fixed6.kpn.net. [2a02:a461:ea84:0:482f:63bd:5e5:438d]) by smtp.gmail.com with ESMTPSA id f14-20020a170906084e00b00997d7aa59fasm4195698ejd.14.2023.11.06.05.32.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Nov 2023 05:32:26 -0800 (PST)
From: Thom Wiggers <thom@thomwiggers.nl>
Message-Id: <EBF4C6F9-BA8C-41DE-9616-E2AC464BB19C@thomwiggers.nl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8210270E-FD21-4D01-908E-14779AB0386A"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.200.91.1.1\))
Date: Mon, 06 Nov 2023 14:32:15 +0100
In-Reply-To: <SN7PR14MB64922E7B96A48B388DA957B583AAA@SN7PR14MB6492.namprd14.prod.outlook.com>
Cc: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com> <SN7PR14MB64928D0240F21868FEBB951683AAA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAMjbhoUmVdezZbziArzYR9xbKVd3Ld-xcbhz20WB=qPjqKVhQQ@mail.gmail.com> <SN7PR14MB64922E7B96A48B388DA957B583AAA@SN7PR14MB6492.namprd14.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.200.91.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Hhn_oui_IRlla2NsPK5eNeolvOg>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 13:32:34 -0000

Hi,

> Op 6 nov 2023, om 14:24 heeft Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org> het volgende geschreven:
> 
> I’m fine if the cocktail napkin says “we’ll either do A or B, we’re still figuring that out”.

I’m not sure if we will be able to say this as strictly as “A xor B”, we might need to do A and B in different environments. CNSA 2.0’s requirement of level-V parameters results in very different behaviour than what we see at NIST level I, for example. The platforms on which we deploy things are also subject to wildly varying constraints.

Cheers,

Thom 


 
>  
> What I’m trying to avoid is the situation where everyone has a different notional quantum-safe TLS design in their heads, but nobody realizes it because nobody has bothered to try to write down the details, even at a very high level.
>  
> If it changes in the future due to new events or analysis, that’s ok too.
>  
> -Tim
>  
> From: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> 
> Sent: Monday, November 6, 2023 1:14 PM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>
> Cc: John Mattsson <john.mattsson@ericsson.com>; TLS@ietf.org
> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
>  
>  
> (3)-(5) are exactly the hard problems I’ve been thinking a lot about lately.  I’d actually be tempted to say that AuthKEM vs signatures is something we should figure out ASAP.  I read AuthKEM again this morning, and it has a lot of attractive features, but I’m not quite sure what the right answer is yet.
>  
> I don't think we can settle the future of PQ authentication in TLS just yet — there are still many unknowns. To name a few:
>  
> 1. What signature schemes are on the horizon? MAYO [1] from the NIST signatures on-ramp would be great, if it doesn't turn out to be broken.
>  
> 2. How will the confidence in existing schemes develop? AuthKEM will look different depending on whether it can use Kyber-512 or Kyber-1024. Also, will it replace Dilithium5 or Dilithium2?
>  
> 3. What other higher level changes is the ecosystem able to adopt? For instance Merkle Tree Certs [2].
>  
> These are all hard questions, and although I do not believe we can answer them now, we should be thinking about them right now. I think we should have different pots on the fire, so to say.
>  
> Best,
>  
>  Bas
>  
> [1] https://pqmayo.org/params-times/
> [2] https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
>  
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email