IETF Logo Mail Archive

[TLS] Re: [EXT] Re: Concerns about the current draft.

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 25 August 2025 11:04 UTC

Return-Path: <prvs=23320a8f6b=uri@ll.mit.edu>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 264835891BB5; Mon, 25 Aug 2025 04:04:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.596
X-Spam-Level:
X-Spam-Status: No, score=-1.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krAVNQV5wk9Q; Mon, 25 Aug 2025 04:04:07 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) by mail2.ietf.org (Postfix) with ESMTP id 9B8155891BAC; Mon, 25 Aug 2025 04:04:07 -0700 (PDT)
Received: from LLEX2019-02.mitll.ad.local (llex2019-02.llan.ll.mit.edu [172.25.4.98]) by MX2.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 57PB0Ovj042140 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 25 Aug 2025 07:00:25 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=huI0LuCiqOI1aWhyoFontrvOBkGEPA5PJK6y9wZ50r6O+oqSeiabPSTT8G1tlylsVp6YhIjpPH3hUipnJzCd13CUjbfgJLQGdOJjLQGgElND91fv5jX+X7NLvTlD3o2RmLGXbwEPhF8Mpi1TXNUXqlM84u8AC/gEI4OYFmBikoXPXmCaWvSX8j81AI31gGOQM+ytXedyQX03RnLyBvUKpC8DH+tLwEvtNMNH7LVBJUMmRLBRIHStHq3FPomnnX0l07HuQKsRmG73lyDTU73jdSJCF/MveK16z02Z+VENLpoKpDwlfBiIKWDIhp24fjYRrLAfqQnYfS1ZuugJfw7Pgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IKrg6gGuMvtQgXdE+fqVfE7z1m7AwW+7AQQH0I9xCKU=; b=PTBr+HEam6mkdOhVgkBxOZh3Ok7eCHkNx1bF2SnuWrfxu0IWLS22o1bKGEKoCPyRuF/FyBO78OhYGrANinpwRouCR2REkhzNXSQx5CO8mwkUSQ+YJ9llgHoMo0QLCxkQOwBtHdR7vsayMVR/NKFH1cuJ795Bvoz0zC877jSAimdlTg+yRBGHt7iBQYDftf7IVdXHIb6PPazSkRgtAb31tegMgahO/yid5HQREEoMRrB4+dV6Nll67S0/mnlw+UHVjyhV+G+Yr/mvKMlikHWDyhHSrH+dP3ZhZJBOuaAYdSnHYl9Z01kGjKx2pFFopIyQlZSUljaPsKRb5J1wySYypg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Thread-Topic: [EXT] [TLS] Re: Concerns about the current draft.
Thread-Index: AQHcATD03sWs2BJdtE+pJgVO7rWscrRzWAmAgAAFeIA=
Date: Mon, 25 Aug 2025 11:04:04 +0000
Message-ID: <EFE61C51-AF63-4488-8988-3F4774B5F0DE@ll.mit.edu>
References: <CAMjbhoWgCPNJOZ56s4LZVFDhcf7RLGG-Os9=oB=n=k7BJ8gUug@mail.gmail.com>
In-Reply-To: <CAMjbhoWgCPNJOZ56s4LZVFDhcf7RLGG-Os9=oB=n=k7BJ8gUug@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN2P110MB1414:EE_
x-ms-office365-filtering-correlation-id: 3133e981-4b81-4822-097c-08dde3c71ad0
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|366016|4022899009|1800799024|10070799003|38070700018|4053099003|8096899003;
x-microsoft-antispam-message-info: 7XDW9gE7ZUwRmETcOGALgqCPP6mrsINCdBk7vY16ON6sn/n9ZqkuvEOwsThL4ZAaxDgZcCKlPPlflZ5C8VJVM8br0TnRFQzfOQLD0mV2AhyXXh8rWOjbgXgcauG4tWyxGEjgDWnEPZuIcBNCWDySB0+kqWrW/Qv5J+HYbCb8BpHPHs16iSU4ZIlgZ7zTUP9ZhreCyNoElYdT1kCA3RuTSOoi9C9YCO+oCJAqZrORW0IXbzKzVT3zqrU0NzKHmw9O+eVDLqcqYXQvsZliikr0HeQn0GdKf70xI0lnRNAGRIGqV7JWvgeWsfj5A3ytdALfdMHNT+IlFdRBKYbgx5BvcvmaSMOIKL8eqwXtUeXiykmRQGIEBHKW9nI+g5IpL3ENahURhxrVG9LMuqNM0sIU0412jvbrVbU9wnoikIjIbzQW4fP3yIRYaZepTP7G/8ps9hVW2y/eV7F7fgGG3HLpxR4vp7aL4VH+9kDjDZTWTAGR9FcrqF2jaBrF+d0Lv1uF9cp+Ss++Pd86O7CA/TRBSruC+B+r7bhhbiLMKIxl69nTUMJKHwJn2h8OftzS9VLEedGEAITUq7TwZfUF9W1wmYbZkQ75BlCnLnWBwhshh53Sj0T2YpWOE6U+w6PSn5lk6JO/YF3nPU8YyYRIh80E4eQ1UcEMiGzFAHhNm13k/67SlzYDTEdKBUWQH//iloIvEFBbHkQMWSMW4oh3s6NrNS2MdG9SkG0plhphnTPw5wffq7h50ds1rZvicJojzTD0iSYIof6U0wiKe0k8eCBmATrL1xXTB33m1XXUWU2nDXwW6t+diud2U9WmueWOMjtw5p++KsdnB0i4sShL/XKW1kpjSH9aemQF7w4JLoel0Kt0tRsClmE8WVZDgosbRaVBkb5jSvSyrbe3sxSkj4/Bvci5vAdMzJ5UaoeLcoyKSI4Yw7f7J+o7c7Qhh/zx+LLjsCpmRffm9g32Ft+YA8ljo+AWoGd6N6d3TR/ApMS5L9B5lEFAiGVKbBGIaqotwIq2vu00W/FRB9Tg5mDGxnh84Xxz2XUzaXTMwK7K9UjYHiGCBJEtNG1PwidBSQUHorGaO6cM3VV8Ek5g3aGpMvt1Z1/rCeW9HmuK6GDvjNHZtcZIAEd9mPezH7TUmcB4jTxuW7yf/6ZL0SpG2hIPubBpqKgNTgZh4JeHlVwSA5H3nSVPSQftWGBvad8oCrMOpH4KcXL2fDjNME1iBpY3P/PPqFFEo3M9CNw9q8Sibr7UKy5F8Hgvr91f2AdmJ7+PJ1yLB+2C/m9nI/00iiZs2b6X3Q8AmmlJ0vBCLVx97cuVzpF8aP53/+qDJWEmC6coHvFmPwLpgo/2TanH/45euaZEp32/opSnWQwqDb1SUn9nqcQhtF8TQce/BRxVp8Ok7pfz7PO86r8JVgiRyR+MtGx0Lh6daxIw0KNIcadTwLi+OXOfuxC8bIWLTSM9pV83ParLwzhPfUFBrUjeHb83e8sAaap1/mTKmWjAFWF6fWu/FFY=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(4022899009)(1800799024)(10070799003)(38070700018)(4053099003)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: x4Rd+EPrW2lO/5NrDCbufGyi0twxHFkasFbmoCVrms5oykxc+BbwXrzQv9UFApSi00gwk5xNg8JZVv1CxJt8AU4SEQsyRvBJeUUpkkAWPLZqWy8hQOh81sT93XAJP7KcmV6jKX/JaotOkfkwH4T7a2vRHkDw4rJsAiTMa42eBSbqYAXUPpZC9bbDpJqaf85atTzcQF/WN0njoiWpQt5yWQQtfy8yY2GloCdQZjZejX1nxaydnwUhgjn4yRzNQNrqBYDNfUGp0XJUvYgE/Zo8UNAfa3bUe41B/oGXRk+zrXqPgne1ptydMeqt/sycB20Lc75i+BNXdlVRkkIpYcy0NxM6/i68hq31yxCCrDydN1tuz5pXPFwEHkl5gZm4/Z0mZWkn4Mzld+JygbLRwIqXCM1+7baXvhw9ngoRBZxV02SLo3p2fwq9iuMeSjF+c5zkKEQJMqy0FAqlhoakbo4j96plLCYBfoQwSRyfeBszAogpmGV5mh5IWrWqw02S7CHWnrkZ/79bsg0cw0YapPg7nhbzcfXyGwlW4KHJjsfW1VxPsv3dsZ7HhshfM8Xqo2x1oCt+SlMe8maK2zRvjF/qxjl9yqgjyTaJDpwUMquIkwECSn5TZwwHiY3GdPEtIEv/1tqp8MThlECworqDgR1zwfG4vYgHk8ik57CmB+nJi21WN/0LJHBq5k8SeEM1aAUvgIfytF+N89GtvWHbTEKKJ43nyM0A4CTXL5dW/PNX/6/1jZy+TLq/LBF7fkx1v4tz8MZyo0G89dxwb3f9Ho6TT/lQbTX1ZGq7OoiSC3PFwx7+QVLh54ssfEhDmWcVMKIwg4WsmFiSKSpOmLxOnqGnz0CcXvJdqRkgeYWivWRr06uqHYHKv3vNaOC2UascKyiITpMHfncqX815mUPBeozh+y/4CJPLjkjHTukOCDfMRS3et+yRt9teeCpfDUVmCAAVg87boAlkHBgTFARONTybAe7f+d/rETHTETqTzb32v3BQHxJ3541sEkfUHWR71U+MNPj0jqSS2mKonO5kP+5ArBEGIwb+vKT0KqOMKQ3SDWH049y/d7LmXpUvsUlNzKcL/qrRI/C8C0uYqvceq/mLNlE/F7nOYDHNpBr2S+rAzKRDjNeS4SMUb5GsxlMy0lBH090R3JS0KGnZ1AN3U7HQxEfSjjCWjy7uwlBSmfvFoXcT1ahls/z/UnOHS5ylDk/4jYu93Bel1Wz3EZGO90QDi5hD34f81WNUEv45HUosMbuS+edXvEGR7CUTLfU6B1WE52xerFq6uBljojFgandppGSpW09W7kQ6pNss5OmGUkeMhuGpegZ7bX8QaOAV0UOehgaymmkXIPrvRIOka+2ojY1LqfzbcnehpXeP3G4jqs4=
Content-Type: multipart/signed; boundary="Apple-Mail-F13AB333-E271-4630-9D11-65693001AEFD"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3133e981-4b81-4822-097c-08dde3c71ad0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2025 11:04:04.3929 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1414
X-Proofpoint-GUID: SgSoirj2O8knYhLFzbOq7ihLX1MYyizL
X-Proofpoint-ORIG-GUID: SgSoirj2O8knYhLFzbOq7ihLX1MYyizL
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODI1MDA5OCBTYWx0ZWRfX+ecfDSa8QzNB eVYU45U6uPERd9Zap/58ZCUXwKThMhJlaFR1w8zN+tQZuKIFxVWyhU/htCt3eptgqSDFZiJJ2x4 +qFVTtJXZ76UVVJnjn652rNjdNCNZ4yj6ejSYlruNrEFmwsKXhtyxT3RUdFSA4KJNcdgBPWlQtU oOaMtxrms26clYQbl2suKyofkTITX/6AlBk1819gBM8IOj6TFK4Z0eQS7lHJL4uRnTUBHsO82Pu Bk4Mlu2c3ppBifCfS58XoWG/iODk2wASRCD6Dq1j9XnqDpPJeYWQ==
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-25_05,2025-08-20_03,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 malwarescore=0 phishscore=0 bulkscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2508110000 definitions=main-2508250098
Message-ID-Hash: TO6RDJYBSFPG5M7SLOKILS535ZMAOOSO
X-Message-ID-Hash: TO6RDJYBSFPG5M7SLOKILS535ZMAOOSO
X-MailFrom: prvs=23320a8f6b=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/J7e0_vH8QK8x7_n6W1y7OUV74sg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

1. We do not have to have the same strength level in all the primitives that or combination uses. True, combining RSA-2048 with AES-256 does not increase the total strength of the construction above 128 bits - but since (in many cases ) the cost of AES-256 is roughly the same as that of AES-128, often it’s simpler to just stick with AES-256 everywhere, and reduce the code-base. With RSA - you’ll need to replace it with an entirely different algorithm, being able to reuse only the logic of the protocol. 

2. How hard, in your opinion, would switching an app that currently uses only AES-128 to AES-256 would be? 

3. Those customers you’re referring to, seem to have a non-scientific approach, IMHO. Of course, you still need to do what they want - understandably. 
Regards,
Uri

Secure Resilient Systems and Technologies
MIT Lincoln Laboratory

On Aug 25, 2025, at 06:45, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> wrote:


Thanks Eric. Let me add a few more words. Although opinions differ on whether Grover's algorithm will ever be practical, there is no debate that attacks with Grover's algorithm are much further out in the future than Shor. There are
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside the Laboratory.
 
ZjQcmQRYFpfptBannerEnd
Thanks Eric. Let me add a few more words.

Although opinions differ on whether Grover's algorithm will ever be practical, there is no debate that attacks with Grover's algorithm are much further out in the future than Shor. There are some advantages moving to 256 bit symmetric ciphers apart from countering Grover, and it's not that expensive, so quite a few experts will not bother debunking the misleading "we must double symmetric key size because of quantum". I have two objections with that though.

To start, I do not think we have enough time and resources to migrate everything. Not by a long shot. I would rather have someone spend their limited efforts on upgrading RSA somewhere, instead of AES-128.

Secondly, if we do insist on AES-256, then we must match our asymmetric cryptography to that as well. In stark contrast to symmetric cryptography, moving to 256 bits for asymmetric cryptography is much more expensive.

Now, you might also notice that ML-KEM-768 is designed to match AES-192, whereas X25519 roughly matches AES-128. That's intentional: we picked ML-KEM-768 not to match AES-192, but to have a big margin on top of AES-128 in case there is cryptanalytic advance.

Finally I would like to note another reason for traditional/PQC hybrids. Most people simply don't care about post quantum cryptography, but they do care about their existing security or compliance. Many of our customers would be quite uncomfortable with us switching completely to some newfangled cryptography. It can be done, but it takes more time, and I don't think we have that much time left. Hybrids sidestep the problem, as it will allow us to deploy PQC by default.

Best,

 Bas


On Sun, Aug 24, 2025 at 10:35 PM ma bing <bingmatv@outlook.com> wrote:
Some websites including Google is using the experimental ECC+Kyber hybrid solution, but Google and others  still use AES-128, quantum computer can weaken 128-bit symmetric encryption to 64-bit security, it's the 1st concern. So the draft should only use AES-256. And NSA suggests 1024-dimensional MLKEM, the 2nd concern is that Google and others use MLKEM768. The 3rd concern is that the draft uses ECC in addition to Kyber. NIST has approved HQC (Hamming Quasi-Cyclic) in addition to the already approved ciphers, I suggest to switch from ECC+Kyber to HQC+Kyber; Since ECC is vulnerable to quantum computer, using ECC+Kyber is likely a false positive, so I think HQC+Kyber is better. In conclusion, I think there are 3 concerns.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.39.1 | Report a Bug | By Email | System Status