IETF Logo Mail Archive

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Hubert Kario <hkario@redhat.com> Tue, 04 April 2023 11:31 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57FEBC151B16 for <tls@ietfa.amsl.com>; Tue, 4 Apr 2023 04:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjgV1gkxhS0P for <tls@ietfa.amsl.com>; Tue, 4 Apr 2023 04:31:38 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D42CBC151B0C for <tls@ietf.org>; Tue, 4 Apr 2023 04:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1680607896; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GRDh9d7zOfvetqQRGoDgSRnvi3+FhWH8vOAmsTfvZ+Q=; b=SE1RquNKG/rlLquvrz41eTQ9W74Jgrj38s15J7c7DMkBTy/tn3/J3yaLbryHiBuFqaRL8D 9Hc9FEfpNlk4sZ4TPC6xCq66lFdMVLSuCZXUDhYactQIQ4a1if3PW84I59+GKT5FF4jzad JbUJeD297CrUvyurhQtWjZBdNMX6Ho0=
Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-90-MsofZN1GM4efrjtINHyaZg-1; Tue, 04 Apr 2023 07:31:35 -0400
X-MC-Unique: MsofZN1GM4efrjtINHyaZg-1
Received: by mail-qt1-f198.google.com with SMTP id v10-20020a05622a130a00b003e4ee70e001so15745593qtk.6 for <tls@ietf.org>; Tue, 04 Apr 2023 04:31:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680607894; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GRDh9d7zOfvetqQRGoDgSRnvi3+FhWH8vOAmsTfvZ+Q=; b=lfA3Rdxi9TRDA7UsJJI5is89GU4J3fWvTHzsNelzmv/qnEXn6pZn2W5KrOkhIvYtvj yxvutVcRQOJSETRnJTO2eNyvGEGedzJUEi0tHC5HoRXwpsXTt6VvIOTyfxPMGdEdiaRC rBeHu9X3kCc/knFKoVxuweSqX4KdqVBpb6SQ5mt49kOvwP0qJOEPYAkNBqwybpO1MlUR 09FLlZ7mcJdeQQp96ByVdpu52LIyDQkrgPcsQWbydhFS3Ms9MzibahiL0psdOVPPGQoE u7gw7ki0BdWUFU9q++M8Bb7RwFnjtsodpryV0gRsf2QXXlMqaP2FjevODVOp3NQ41EcV U+yA==
X-Gm-Message-State: AAQBX9eZZDUvIf8qkfsatxPxlzfkK/ZCsOAAUCdGCOj2YGzrrduU2e6T YZ/ClhMTHAIdrYCJ5Cn+wo7MaJFQE4cOXXH7qva1CYJ3fuJz+Ifab9M6m8z5wB3PGd0uhRfZ/YL N2/I=
X-Received: by 2002:ac8:598c:0:b0:3d6:90e6:61f5 with SMTP id e12-20020ac8598c000000b003d690e661f5mr2942119qte.36.1680607894586; Tue, 04 Apr 2023 04:31:34 -0700 (PDT)
X-Google-Smtp-Source: AKy350bUt/7e1Z2ujHAPhNEk1IUD6PZCY4rDoxpUTcJAHg4sHnCtdxCR97ElTS7e4KLWc67xSu/u3w==
X-Received: by 2002:ac8:598c:0:b0:3d6:90e6:61f5 with SMTP id e12-20020ac8598c000000b003d690e661f5mr2941898qte.36.1680607892540; Tue, 04 Apr 2023 04:31:32 -0700 (PDT)
Received: from localhost (ip-94-112-137-58.bb.vodafone.cz. [94.112.137.58]) by smtp.gmail.com with ESMTPSA id r19-20020ae9d613000000b007464fcca543sm3516085qkk.50.2023.04.04.04.31.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Apr 2023 04:31:32 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: Krzysztof Kwiatkowski <kris@amongbytes.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, tls@ietf.org
Date: Tue, 04 Apr 2023 13:31:29 +0200
MIME-Version: 1.0
Message-ID: <003b3de8-d786-4b46-8f15-e5b5f5c5f07f@redhat.com>
In-Reply-To: <A9B55B7A-C352-4880-9A66-13664D461EAB@amongbytes.com>
References: <6cf86afa53f348c69d5a22ed50ae6d4b@amazon.com> <7B644960-382D-4270-95E8-CE5637347A62@ll.mit.edu> <ZCUoRUuJQ55I7qJ4@LK-Perkele-VII2.locald> <A9B55B7A-C352-4880-9A66-13664D461EAB@amongbytes.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.7; xcb; Linux; Fedora release 36 (Thirty Six)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/L7mvxKKuVF-s3dmc-4_CqZBfdu8>
Subject: Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2023 11:31:39 -0000

On Saturday, 1 April 2023 03:50:04 CEST, Krzysztof Kwiatkowski wrote:
>> I would pair secp384r1 with Kyber768 for completely different reasons:
>> Kyber768 is what the team kyber recommends.
> Agreed.
>
>> I don't think there are very good reasons for NIST curves here outside
>> wanting CNSA1 compliance, and for that you need secp384r1 classical
>> part. And for that, I would pick secp384r1_kyber768.
>> 
> From my perspective, the two reasons for including a NIST curves are:
> 1. To have an option for those who require FIPS compliance. In 
> a short term at least one key agreement scheme should be 
> FIPS-approved. In the long term both of them should be 
> fips-approved. That way, in case security of Kyber768 falls 
> below 112-bits or simply implementation is broken, one can still 
> run key agreement in FIPS compliant manner. In the end, the 
> ultimate goal of hybrid-tls draft is to ensure that at least one 
> of the schemes provides security if the other gets broken. Would 
> be good to use this in FIPS context also.
> 2. NIST curves are more often implemented in HW than 
> Curve25519. When working with chips like ATECC608B, one ideally 
> only adds SW-based Kyber and can reuse existing HW-based ECDH. 
> Such migration is simpler, less risky and time-consuming than 
> adding SW-based X25519.
>

there's a third reason: the public CAs that support ECDSA almost 
exclusively
support just P-256 and P-384, so if somebody implements ECDSA for the 
public
internet, they have to support those two curves at the very least.

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email