IETF Logo Mail Archive

Re: [TLS] [EXT] Re: What is the TLS WG plan for quantum-resistant algorithms?

Yoav Nir <ynir.ietf@gmail.com> Tue, 07 November 2023 05:51 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFFDC1705ED for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 21:51:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrntFO00y40r for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 21:51:04 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6EEC1C02A0 for <tls@ietf.org>; Mon, 6 Nov 2023 21:51:04 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-40859c466efso38335455e9.3 for <tls@ietf.org>; Mon, 06 Nov 2023 21:51:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699336262; x=1699941062; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=thA5sePR/p06y3/fIIj26jj4XGfmtDAgLy5Hf6N2tN4=; b=m9JbRoxUa1/5nVF5iNTipGgyL/4inXuVsM7U6Bu94V0z4fY8C8u3EvM8DNPMuYJzSW H0A1d6AfV269mzHCCBIWph5o2NUFQf5KW5e2dZODttYbv7GcPoEChjC4O+iZOQ7eJflW q6ofgdDb1odqAz/p1XCHHrjlhlINBLYsC1nN03XfH7D5hOR/jmwNDin+6+b74yImMb/q G3vbmd2qvc4SV1hhJPlw1MzeqYp3eRYexY+WD0qMXRyPEdXFV3DWneJedwjBL6SuWpSZ P95Mr1xuEWsgl62iKFYQ5484DgfzzVeaW3EeK8kCD9Ru5yXrz0Lyot8PrZh3IS3wYO1K Cwvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699336262; x=1699941062; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=thA5sePR/p06y3/fIIj26jj4XGfmtDAgLy5Hf6N2tN4=; b=MfvX8pwVlytSIB+O4DPgHOV+naCb7Qoxg3VjGhA0V0UPy6vAzzO8RC1NeG4hy5PUwz Nz7GBJBWTWUOhCUoVL6JVbE5o8I3CqI+MFtgX/qr5+dJxfy9Eiz4aoZCa8EinvUyWcGj O+leTi6e7oeIxmnMLpDi31EhPZrLlzQ4jRMKXZ12Mm9RyrlHlM+uUuFpPO+VGWSUYwgu yfvES1B5AQifY8Nik8yem8GflZW4zoWg5kgPf7iLJ5qZMBrS/gHz8fO+OA51uPjhAr+T TQR8oqjGArzcHqdMEIoa4TUaYGlb5ZKb6ZCO/5ETuq3AMk+1FWk5evsmUlIK8MsG7vih pjcw==
X-Gm-Message-State: AOJu0YxYU02W5SbQKlEiFEDyob5FTRtZIIifp62ZODorBeJ8E4nlKAo3 YloYKdFsHlBOfNdqwZ/lHNGs1FM6YELqfg==
X-Google-Smtp-Source: AGHT+IET/b4pLJ6g2sgnumAGFm0gvfXgM8db43GaN1GVlni7DpW3ggjzIcibgB4BQwxHWwqpGcBnDA==
X-Received: by 2002:a05:600c:1c24:b0:401:b53e:6c3b with SMTP id j36-20020a05600c1c2400b00401b53e6c3bmr1199888wms.6.1699336261826; Mon, 06 Nov 2023 21:51:01 -0800 (PST)
Received: from smtpclient.apple (84.94.37.215.cable.012.net.il. [84.94.37.215]) by smtp.gmail.com with ESMTPSA id t9-20020a1c7709000000b0040641ce36a8sm5817864wmi.1.2023.11.06.21.51.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Nov 2023 21:51:01 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <43E90804-265F-4E7F-9DE1-54B9896C960C@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B8768F52-0EAE-48DF-B6CF-0D797E71B8A5"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Date: Tue, 07 Nov 2023 07:50:49 +0200
In-Reply-To: <C96DC528-B3CB-460D-A3ED-EF930C59A92A@ll.mit.edu>
Cc: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
References: <C96DC528-B3CB-460D-A3ED-EF930C59A92A@ll.mit.edu>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Jgv4w5K6qeImL2Cut_BmmiSafiM>
Subject: Re: [TLS] [EXT] Re: What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 05:51:08 -0000


> On 7 Nov 2023, at 0:29, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
> 
> Do we want rfc describing the final NIST standards? And for which? I'm ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa.
>  
> Probably yes, and in the order you described.

Sure, as long as by “describe” we mean “reference”.  NIST do a great job of describing algorithms. We don’t need to replicate that effort, only to show encoding in a particular protocol and choose when several options are available.
 
> For which algorithms do we want to assign codepoints once the NIST standards are out? Codepoints are cheap and use cases/rules are different, but especially with the hybrids, I'd encourage us to try to be disciplined and keep the list as short as we can for now, so that early adopters for which it doesn't matter, all choose the same thing. The DNS mechanism of draft-davidben-tls-key-share-prediction helps on the performance side, but it doesn't solve the duplicate engineering/validation if there are a dozen essentially equivalent KEMs.
>  
> Leaving this question alone, at least for now.
>  
> Do we want to standardise non-hybrid KEMs for TLS? I don't care for them yet, but others might.
>  
> Absolutely yes.

Yes. They're that end goal mentioned upthread. 

> Do we need hybrid signatures for the TLS handshake? I don't see the use, but could be convinced otherwise.
>  
> I don’t need/want them, but can’t/won’t forbid others from using them. They still don’t make sense to me.

Signatures generally follow from what’s in the certificate. So if certificates are going to have hybrid keys, it makes sense for the protocol to have hybrid signatures.
It’s still an open question if certificates are going to have hybrid keys. LAMPS has not spoken beyond not adopting a draft.

> What is the future of AuthKEM? That's definitely a different e-mail thread.
>  
> I hope it becomes a mainstream standard.
>  
> Concretely, after ML-KEM is finished, I was planning to update draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design.
>  
> Great!
>  
> Thanks 
>  
> On Mon, Nov 6, 2023 at 10:10 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
>> Hi,
>> 
>> NIST has released draft standards for ML-KEM, ML-DSA, and ML-SLH. Final standards are expected in Q1 2024.
>> https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography
>>  
>> I would like to have standard track TLS (and DTLS, QUIC) RFCs for ML-KEM and ML-DSA (all security levels standardized by NIST) as soon as possible after the final NIST standards are ready. 3GPP is relying almost exclusively on IETF RFCs for uses of public key cryptography (the exception is ECIES for IMSI encryption but that will likely use HPKE with ML-KEM in the future).
>>  
>> Looking at the TLS document list, it seems severely lacking when it comes to ML-KEM, ML-DSA…
>>  
>> The adopted draft-ietf-tls-hybrid-design is an informal draft dealing with the pre-standard Kyber. 
>> https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>> 
>> AuthKEM is a quite big change to TLS
>> https://datatracker.ietf.org/doc/draft-wiggers-tls-authkem-psk/
>>  
>> This is not adopted, informal, and dealing with the pre-standard Kyber.
>> https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/
>>  
>> What is the TLS WG plan for quantum-resistant algorithms? My current view is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87 registered asap. For hybrid key exchange I think X25519 and X448 are the only options that make sense. For hybrid signing, ECDSA, EdDSA, and RSA could all make sense.
>>  
>> Cheers,
>> John
>>  
>> From: TLS <tls-bounces@ietf.org <mailto:tls-bounces@ietf.org>> on behalf of internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>> Date: Friday, 8 September 2023 at 02:48
>> To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org> <i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>>
>> Cc: tls@ietf.org <mailto:tls@ietf.org> <tls@ietf.org <mailto:tls@ietf.org>>
>> Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-09.txt
>> 
>> Internet-Draft draft-ietf-tls-hybrid-design-09.txt is now available. It is a
>> work item of the Transport Layer Security (TLS) WG of the IETF.
>> 
>>    Title:   Hybrid key exchange in TLS 1.3
>>    Authors: Douglas Stebila
>>             Scott Fluhrer
>>             Shay Gueron
>>    Name:    draft-ietf-tls-hybrid-design-09.txt
>>    Pages:   23
>>    Dates:   2023-09-07
>> 
>> Abstract:
>> 
>>    Hybrid key exchange refers to using multiple key exchange algorithms
>>    simultaneously and combining the result with the goal of providing
>>    security even if all but one of the component algorithms is broken.
>>    It is motivated by transition to post-quantum cryptography.  This
>>    document provides a construction for hybrid key exchange in the
>>    Transport Layer Security (TLS) protocol version 1.3.
>> 
>>    Discussion of this work is encouraged to happen on the TLS IETF
>>    mailing list tls@ietf.org <mailto:tls@ietf.org> or on the GitHub repository which contains
>>    the draft: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c404f4af2592f2f4&q=1&e=367fabf2-370b-4cec-b657-05a8499decf6&u=https%3A%2F%2Fgithub.com%2Fdstebila%2Fdraft-ietf-tls-hybrid-design.
>> 
>> The IETF datatracker status page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>> 
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-09.html
>> 
>> A diff from the previous version is available at:
>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-09
>> 
>> Internet-Drafts are also available by rsync at:
>> rsync.ietf.org <http://rsync.ietf.org/>::internet-drafts
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email