IETF Logo Mail Archive

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

Phillip Hallam-Baker <ietf@hallambaker.com> Fri, 05 August 2022 21:47 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16189C15A728 for <tls@ietfa.amsl.com>; Fri, 5 Aug 2022 14:47:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.411
X-Spam-Level:
X-Spam-Status: No, score=-1.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtR1jsyFjCOo for <tls@ietfa.amsl.com>; Fri, 5 Aug 2022 14:47:56 -0700 (PDT)
Received: from mail-oa1-f44.google.com (mail-oa1-f44.google.com [209.85.160.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E51AAC15948F for <tls@ietf.org>; Fri, 5 Aug 2022 14:47:55 -0700 (PDT)
Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-10ea9ef5838so4337719fac.3 for <tls@ietf.org>; Fri, 05 Aug 2022 14:47:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=egC/bzixur9HGtMjVEIAuX1jKWu+xJ/oGSHOSrQ9TRg=; b=3MlxXXfQzmdb/EGo1whxzHrak0BQdYpyv26WEZQAD+DCfXkZ3sFxJA0xrhFAPxjyNV hlsM4ssPGX8UjCqXgAmh93ThFPHQjVfEQbjZpm62LGtZlitLkSQPI52GUfLnDbVhf1rY RR10KN2LHrCQt6bnrhzmyTdrsjHqz5dkOLOgWrYnT/TuzIFWUHvGdK1qE1lfQcqIPCOx 0V9dBYb5vsZ17rpljqAiUneKNczn4eRQIYTCFZhikVedx1ZSji49iOVGICCs2O8Dckgn MLgfmsxM3EKnEFad+vpFddQTBphFHx0yNR5sYUAv01UF1nnKGeXp6bvbduuUnw9WWX/o ddxg==
X-Gm-Message-State: ACgBeo0lv6y3FzaLFIB+gtO1g+NidDkSHrOhoRPpF6ClKNdepZ1vpkri JlUXrOSeg/c9tU8U3q58ZbCHvmIGSR0MsuGkVKk=
X-Google-Smtp-Source: AA6agR5FG7uUh1c9BPUOElgkGFHaubH23yFQJr+lypMNvaAYhASWV3ItoWtBzPXOmxrAY1eRqE9PQOfx15Tibjmo3As=
X-Received: by 2002:a05:6870:1601:b0:101:5e61:d8ee with SMTP id b1-20020a056870160100b001015e61d8eemr3889233oae.244.1659736075035; Fri, 05 Aug 2022 14:47:55 -0700 (PDT)
MIME-Version: 1.0
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <8383756C-5595-4028-9E5E-8B758147ED33@ll.mit.edu>
In-Reply-To: <8383756C-5595-4028-9E5E-8B758147ED33@ll.mit.edu>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
Date: Fri, 05 Aug 2022 17:47:43 -0400
Message-ID: <CAMm+LwgHNL_aHqK+TbdBf=xJBPftjkXL_=isXUJB+mbiUc7_Lw@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: Thom Wiggers <thom@thomwiggers.nl>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c686305e5856ba6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IaNeKBpUAlmp3wHQfvicXLydb40>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 21:47:57 -0000

On Fri, Aug 5, 2022 at 4:42 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> In yesterday’s working group meeting we had a bit of a discussion of the
> impact of the sizes of post-quantum key exchange on TLS and related
> protocols like QUIC. As we neglected to put Kyber’s key sizes in our slide
> deck (unlike the signature schemes), I thought it would be a good idea to
> get the actual numbers of Kyber onto the mailing list.
>
> Before we dive into applying the NIST algorithms to TLS 1.3 let us first
> consider our security goals and recalibrate accordingly.
>
>
>
> That’s always a good idea.
>
>
>
> I have the luxury of having 0 users. So I can completely redesign my
> architecture if needs be. But the deeper I have got into Quantum Computer
> Cryptanalysis (QCC) PQC, the less that appears to be necessary.
>
>
>
> Respectfully disagree – though if all you got to protect is your
> TLS-secured purchases from Amazon.com, I’d concede the point.
>
>
>
> First off, let us level set. Nobody has built a QC capable of QCC and it
> is highly unlikely anyone will in the next decade.
>
>
>
> You cannot know that, and “professional opinions” vary widely.
>

The relevant qualification in this case is to have experience of
experimental physics. I spent eight years working in high energy physics. I
can spot a science project when I see one. The folk who wrote the MIT
Quantum Computing course are as skeptical about the scalability of the
super-cold quantum machines as I am. The trapped ion approach is certainly
a plausible threat but nobody has managed to make that work yet and the
current progress is in the optical systems and not the hyperfine transition
systems.



> So, what we are concerned about today is data we exchange today being
> cryptanalyzed in the future.
>
> We can argue about that if people want but can we at least agree that our
> #1 priority should be confidentiality.
>
>
>
> Yes and yes.
>
>
>
> So the first proposal I have is to separate our concerns into two separate
> parts with different timelines:
>
>
>
> #1 Confidentiality, we should aim to deliver a standards based proposal by
> 2025.
>
>
>
> If we (well, some of us) got the data *today* that mustn’t be disclosed a
> decade from now, then we do not have the luxury of waiting till 2025.
> Otherwise, see above.
>

I know people would like to have a solution much sooner but what people
want and what they can reasonably expect are frequently very different
things.

Let us not repeat the failure of the DPRIV working group which decided that
the problem was so very very urgent that they had to have a solution in 12
months time then used that arbitrary and idiotic constraint to exclude any
UDP transport scheme from consideration. As I predicted seven years ago,
the TLS based solution they adopted which depended on TLS quickstart was
never used because it was undeployable. We only got a deployable version of
DPRIV a few months ago when the DNS over QUIC scheme went to last call.

My point here is that it is a really bad idea to set schedules for
delivering standards according to what people assert is 'necessary'. in the
DPRIV case, trying to make the process work faster actually made it much
slower.

Given the amount of work required, the time taken to get people up to speed
with the new approach, 2025 seems like a fairly optimistic date to deliver
a spec even with it being a priority.

The other point to make in this respect is that yes, a heck of a lot of
data that is generated today will have serious consequences if disclosed as
a result of QCC. But that data is a really small fraction of the TLS
traffic today which is vastly more than any adversary could store. Also,
people who genuinely have such concerns need to be looking at Data at Rest
security as their primary security mechanism. So given the almost complete
lack of concern for Data at Rest security in the industry right now, I am
tending to see the PQC concerns as being less about security and more about
something else.



> #2 Fully QCC hardened spec before 2030.
>
>
>
> If by “fully…” you mean “including PQ digital signatures”, I’d probably
> agree.
>

Not just that. We have to go through and audit every part of the TLS/WebPKI
system to check and it is a very large and very complex system. It is bad
enough trying to get my head around all the possible issues with the Mesh
which is a system with one specification and no legacy. TLS/PKIX/ACME is
going to be a real bear.

I am now thinking in terms of 'Post Quantum Hardened" and "Post Quantum
Qualified". Hardening a system so it doesn't completely break under QCC is
a practical near term goal. Getting to a fully qualified system is going to
be a root-and-canal job.


Second observation is that all we have at this point is the output of the
> NIST competition and that is not a KEM. No sorry, NIST has not approved a
> primitive that we can pass a private key to and receive that key back
> wrapped under the specified public key. What NIST actually tested was a
> function to which we pass a public key and get back a shared secret
> generated by the function and a blob that decrypts to the key.
>
>
>
> The output of NIST PQC is *exactly* KEM. And it’s fully specified.
>
>
>
> NIST did not approve 'KYBER' at least it has not done so yet.
>
>
>
> NIST did – what it did *not* do is finalizing the specs, which requires
> public review. Some people conjecture that Kyber will not need many changes
> to become a “full” standard.
>

And other people are claiming that Kyber has limitations, that it does not
support non-interactive protocols, etc. etc. While I would be happy to see
some qualified cryptographers come out and say that those people are wrong
and misinformed etc., I am not seeing that pushback at this point.

My issue here is that opening the box voids the manufacturer's warranty and
at this point we do not have a description of what the inner box is or what
caveats might apply to using the inner mechanism.


TLS protocol includes derivation of “session” keys. Currently it employs
> asymmetric “pre-Quantum” crypto. That has to be replaced by PQ asymmetric
> crypto. That’s the most appropriate (and the only) point to deploy PQC in.
> I’ve no clue about Mesh, so exclude Mesh from my comment.
>
>
>
> The solution I am currently working with is to regard QCC at the same
> level as a single defection. So if Alice has established a separation of
> the decryption role between Bob and the Key Service, both have to defect
> (or be breached) for disclosure to occur. Until I get Threshold PQC, I am
> going to have to accept a situation in which the system remains secure
> against QCC but only if the key service does not defect.
>
>
>
> Skipping the above.
>
>
>
> Applying the same principles to TLS we actually have two key agreements in
> which we might employ PQC:
>
>
>
> 1) The primary key exchange
>
> 2) The forward secrecy / ephemeral / rekey
>
>
>
> Looking at most of the proposals they seem to be looking to drop the PQC
> scheme into the ephemeral rekeying. That is one way to do it but does the
> threat of QCC really justify the performance impact of doing that?
>
>
>
> First, I don’t see performance impact from that. PQC KEMs are pretty fast.
> The main cost is in exchanging much larger bit blobs. Second – if your
> today’s data will maintain its value into 2030+, then definitely yes;
> otherwise – who cares.
>
>
>
> PQC hardening the initial key exchange should suffice provided that we fix
> the forward secrecy exchange so that it includes the entropy from the
> primary. This would bring TLS in line with Noise and with best practice. It
> would be a change to the TLS key exchange but one that corrects an
> oversight in the original forward secrecy mechanism.
>
>
>
> If your rekey depends on the initial key values, and/or uses only Classic
> crypto – how can you provide Forward Secrecy?
>

The TLS nomenclature is confused here. To me a session key is what I apply
to data, i.e.

session = KDF (ephemeral-agreement)

My rekey uses the initial values plus the ephemeral exchange, ie

session = KDF (initial-exchange + ephemeral-agreement)

So the key I use to encrypt the data is secure if either the
initial-exchange is secure or the ephemeral-agreement is secure. I have not
proved that but any inability to produce such a proof should probably stand
as indicating a limitation in the current state of the art in formal proofs
of security than the protocol design.

What I propose using in a minimally PQC hardened exchange is:

session = KDF (initial-exchange + initial-PQC + ephemeral-agreement)

That is one option but not the only one. There are

0) Classic initial, no forward secrecy
1) Classic initial + PQC initial, no forward secrecy
2) Classic initial + PQC initial, classical forward secrecy
3) Classic initial, classical forward secrecy + PQC forward secrecy
4) Classic initial, PQC forward secrecy
5) Classic initial + PQC initial, PQC forward secrecy
6) Classic initial + PQC initial, classical forward secrecy + PQC forward
secrecy
etc.

Given that Google has spent the past five years telling people that
security signals absolutely don't work, they are going to face a billion
dollar anti-trust suit from certain CAs if they then try to provide a new
security signal to show off support for PQC crypto. So persuading sites to
deploy PQC support might be challenging.


The big difference between PQC initial and PQC forward secrecy is that if
the PQC agreement is going to take place as an initial key agreement, the
public key has to be attested by the TLS server certificate. It is this
move that makes '0RTT' possible. As I keep saying, 0RTT is not really a
thing, we just have clever ways to conceal parts of the protocol by moving
them into a different protocol. If we want Kyber to work as 0RTT, we have
to use the same techniques.

The term 'interactive' is used very differently in protocol design and
cryptography. DH and ECDH are mutual key exchanges. Alice and Bob both
receive a shared secret that both contribute to equally. Kyber is a
unilateral key exchange, Alice encrypts to Bob's public key without using
her key. If we want to have a mutually authenticated key exchange, Bob is
going to have to encrypt something to Alice's public key.

v2.23.0 | Report a Bug | By Email