IETF Logo Mail Archive

[TLS] FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

John Mattsson <john.mattsson@ericsson.com> Sun, 09 March 2025 12:33 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 69BD2952360 for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 05:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swIy_XZlzBBQ for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 05:33:42 -0700 (PDT)
Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11011014.outbound.protection.outlook.com [52.101.70.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 009DF952359 for <tls@ietf.org>; Sun, 9 Mar 2025 05:33:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ux0Hv8MTCy/6r0qYNRaewtKGlBnieSY99HqeYFLpCC2UvODdQTcZWBtScNvneSyZpZpcFKd0XBuxNr+Fz7Vgek5kKOfYTkZx7R79OqGRJ/h8ln7rLv1F7MYMGFay8QRca4LawzD66lX2HTIebmgB7+1MRfJtYhnTuH6e+xG4Ku78xqx0i1B7eD+4bu3s41SAxVHjRuewBqcnCHc+UGrOJQajOm8n+wkSX6WoyI0CQavlR+t+5L8tbCfk5TIzMX5vB6CkYPl6X4y50VlJt8NVdPbow0UXQIUwr00wcJHr2pXjrYjlnao1RDkj35LDog8YTth5qBeYodJgznaBdbL4pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ynvF+V96AoOuc9aSJ6nOpIWjcX6FZ1xEJ7946FNGFFk=; b=B3dykMTHzjsKsXCx2fVPqpHC2JacM71kc/ZEFtj9iqcZIZcUkzHEjKeErZfLNcqov7xZUHfW8B2UaQjSkUAurmJH7Lp48cfxc3DIwUe4FNYdClaKtlVY4TRmUvOP+1IpqQgVzTO2mXUrSeFFMi/vRaWJ50GWa7ozk2LY1nF2kRd1rWcOhk8j56r+gIjAaKIadsj5/mCPi+nu5xEgtndWcMLYkQfXP3gOwIJlx1lqex7+y2KY2bWZO2+kpVzOJoeHKbsa1qUC0MYvN/w29IF5IY/W0m/E+dVdEWaIp0qO1DcfM7jIcyamaskDAvJs+9rte9aYkxYl/SBBC/QOWcE7xw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ynvF+V96AoOuc9aSJ6nOpIWjcX6FZ1xEJ7946FNGFFk=; b=mPgMiKCrWLclDhswxTmt8s19807gd8sbmQfNDUHIouetp04iEB4GIUFLWHjNPk1vGoKaz/e3gNdQ76+pxW640Ps/ubeOTlkh977IPCUxFaJ9WYmYwXGabBKtwgDZIo6BcSRZO57QVUEdohFDS3qr6941O3R2OHcSb8zwy8UVgshPZHt67o41Pr5r4BdbZTZM5Ui+gUtRRAdqVOibv78f5LmroTuD0ISg2mH5Tmo//2ELDbUn50T2dTTIfhR3vfUUlfGV+BXS4fWRcuMDue6rzcGkBQb7sJ/Pgw/GxWKo8pr4Kab7msEur8DOfPVzlGX2UqAIW85rjV+orUaH6PqhXg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DU0PR07MB9362.eurprd07.prod.outlook.com (2603:10a6:10:44a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.26; Sun, 9 Mar 2025 12:33:38 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%7]) with mapi id 15.20.8511.025; Sun, 9 Mar 2025 12:33:38 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
Thread-Index: AQHbkO2ehAcnOcvdxk63BWeYOC61mg==
Date: Sun, 09 Mar 2025 12:33:38 +0000
Message-ID: <GVXPR07MB9678E29CF1D00E59164EB89089D72@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DU0PR07MB9362:EE_
x-ms-office365-filtering-correlation-id: 208f60f6-8081-482d-5294-08dd5f069dfb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018|13003099007|8096899003;
x-microsoft-antispam-message-info: XI7ISLGJy11sYjiIKG6ZXPndKs1EfpvQxvdsRlmrDcphFhehHWcGcoFXUN42EG/nmsWGRAHHDzKvaEJK/5x9QsBDh5Vp2kK9oK4ypPm9w9iuuP5ms8dlbmLPa21B2eFQUX8ZrYybAOURNFHPLEvfaZDnwu5LTqm1eBzwgLj6WmTCoFKGaM3G+uDOB8JvzPlF91owIWaGUGRZgdg4yHoRvbPZHyLVNu3ZUC02FxHnKrlZpym/BLs4nwApOzYz7JV5um4jGmFkD3ZZrfI3cWnHeYjLMTdBZ9JdWlrecbqieS+XLqWuB6O4hdBMt6OkFFz19tqdU0z4ZR1ujOHkeKIkKQKch84e0fAxjqlNvF84dmWgemxku+6naIioCL5HkzWAPlRqlu1JTHU0cdgSwmKBJIb/ACtuxV486CX9w59JVVMA26pFsDv1hQKBkMnbQkDGP8Tx+qeZqywmtqKPe41yr1AuyfCsPEGQEac674WhjfJWWq+dLkG6GSR4VICaKJpxPrbBd4GAWHvC0ua9aOmtdKJqsHpUpVDItWUdzTuyP3qDgKmbc7MqSa5OHnldpgXHQ+f7TTwzwDDU6N0If72RfBL3U2vL9+I340GP4WjgK/KcbBrY3eR26S+0di8GSQCDaukeWH+ydT7XrigCZM9cihHxQqxeMsyAUNojO8OH4zqRdaL74ftDi7QMgE6Z1imNEDkQj/GXG7sjUwTZrTC8nk6xnrk1Nw7PWJVevbs2z9pDMLzjt4e2tkmK48B5umTI3+Sut1Dyfqqy4VG3T3NZSsEItVldtF7HS8zgo0jW+Y/w7Y+2dK+Y5IBBMuL4YI4ZaPUk/Fxh+vEDGmoD7Wl7V7VMkDxhlNAemFu28iD76a3uxg/vqZGnIb50zfuzp5s3PD6Ei4Nclv4PddqogIGJq7TWaAjbzOXQ5cHxvYsP1BvReJmpKrerCIbmbOYgmmdRMqXV+lqL3Db5D5eu615jt7CGPeuaoNI2XHwtwEeCr9xp4orgkJKJUNC5/Hvyjre4BeUj77e6mGYDKMPngRLdF010jc5JAO98IwF+FDxob72lcPYbgTZf0L1KamQDxzwsRtZ282KtLzkicLryvh9qH2smrbSO5LhjsHpbfzaOpY9qgoTTKEivpfg+L2M87oOsirFo1XFHyCeqstNglPGmCl1NBSjc9J1CuBDTnlAkOE4Fg6Z5iNhuyIQwDXBpOJsQ183g2pMBB1MEPAQExf1cNY1bv+Kp+sRdKxpcLwlh7OOYNlIpPwYSALSTSbnKrxQCt4yaBXif3xdTOBgB9nXMde1ajvEYvimMVhpTSiE3xNi7kIu92kcatRcwqU3wucY2iowXDs962OiTDv4/TTOiLWJuW39YSWqtIFi5QMW5V9ST3Nfh0me2WJoMqS5AlXZF
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SX39/0SBi2IGzud7BCFzzeSL+ATbAotFz6Y0zE3Mw9IBDK9Fao8ElIkkumanXpGCdZuLbvbJSgcc4CUYlL4Zaw+R01MLCon2suU9OxJXl2qKuWr7mpGYpifdnjuZqRP+xLxr8I1gT0jzcLpIhatq4N8ufSkCgfaECdG1F84X/Dmcad9yDfH/ObSZMALKmxkovVZRCG/D96ypROQY7FtqKHEos7iu0hKmzT4L99FTFSGOVjxnA/pTBPf8wWi+DhO5ipmfCbPzk09Dqnb9KbPHng5ehdOF87I4weMrkDXUWSwFFHY7JChPShZlxcsZfbkdCjurewWF69O7bMxoJCCqcurRQRc1EGYN15aJUDGyUip0Oc2B03bUDVW+0zLd1LoT8Q7Ud4UxcSZnPS4Owb+vfMp+md1QBGd9oB96ESDhLv7S6m5K9arHRzi2c6yn3nyBnwaQHoTWHqaYnPrzbSDscjCSb4jUBqxBWNb/wdJPvPh5NHiA9HYk8WTA5UAYU1WaEV7eQqR9yPx+lSrgb/6Fl0h0rHbtpLV4/yUnkpqhD5oMs5R3R1LAehZVcgT2Zcijge8p2E64avP2kNqXU1VU0m/ktC/m6gGgY1VHe6VWNKJZ0N/t8CK9z9PXPcI3URTLvj1ZdW+TJ69lZM8e7rGWAjDRcgNdhrgWQM3aMK/DbL1tkeswSIfelfcFE+jvb8sEYLkvo0nBzsEuhuub1fVT1JATdZouEv3N7JnqRkgvOGGgPKcByqWtjGISsqqk3UxN/gG30BS3tFQwy93ZK2FNz6L5tCqE5l7o4NzGfc2G8G5h082CFnRlX0Q7uTR9gc1cuDsmePHH31cSsia4iTl1NBOyyfyNCwWBubDdsKFXaIgR3B9+opxU5RqNt8xvyvJRzwxXy/UIq0bNRy4TtjJmnbQbgtwvRA0VGOJIlp+eLrnyMBj8qEiLm0FfwEW9f31MmKkUDWqmrMyf2aRKOzNotBc/Lf18NAsqRS+ywdo9UmZuJT5/1aEzpqgWeRqHy1ERxVjQ+gphrVFjFqR3f/x8BVwCAtoS9o4CsEi7zRiDm6/FVbQcZho6REgTg263a5Dk/uPZ6A7ZFkFY1yoKj2IfKyjPYXjb+IO2lQHj11/4Rl4CdLHS0yQXxtf2YsrKymxdJSgrrsFFoKbR/K1l7W9YlDgMpsChkSj8ouVjk59/J1SWjaxI1iv6iLUVdZKnT/8dXgdJvlSKBlV6+gdLzOC3XFvNfVgGHfNOLa0/QOC9eajTwgAzUjfO20pXWSG6eu+kQplcGGX9vZahIUKMZ75KXNBHXIAd+tLIPVM5LxSsmkrokcOK/fHXxGoucm8zbOw/jAdYz2fjJDq+Kb33g/mRTgNTx6+zFlZVneVGkKPCB7FeC25qb+GLHajkz07Nw/EfFg7WlBENXKRoB1ZiAXC2bHHjINauhX+xigRRo80/xB1xXHRh7D/9J9XVnc058SZmz7CqdYmTseVXtDtwqhhXHrVubAUKrOyjnIkat8e4vbt628t3lS7gEsgigDQbR+99757K/aK8/m1ZCpcnEYdRfs+kbwztcvwQt0fB19+oio0jteJsE/QFbj0pLJv+xfLEF/EpSM7EZimTuwWaNqiJ0xZZoWlzYall4ZkQjldwur8=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678E29CF1D00E59164EB89089D72GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 208f60f6-8081-482d-5294-08dd5f069dfb
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2025 12:33:38.1103 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cl3nPs5NizLMLWpTFQA9+b9XQTnKgDywjDodzfwD6+FNpNdjXZkF4x3sezwoZtnCNLXi455QPZOWFzy/Q79PLXSB6oMJ62Op3A+biU1Pp4I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR07MB9362
Message-ID-Hash: 6FDEC6EASZDQ3K7ELJMYRX4MI3UQILT6
X-Message-ID-Hash: 6FDEC6EASZDQ3K7ELJMYRX4MI3UQILT6
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ly_c5gcWnvvgtbP0EUM8CPbnO4E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

When using X25519MLKEM768, I would like to know that the other peer is not reusing its key share (as long as it is compliant). As a server reusing a key share can have catastrophic security consequences for the client, I think this is a _very_ reasonable request.
https://emanjon.github.io/NIST-comments/2025%20-%20SP%20800-227.pdf

I don't care about x25519, secp256r1, etc., We are planning to support X25519MLKEM768 as soon as possible and then disable all groups that are not quantum-resistant as soon as possible. I also don’t care about SecP256r1MLKEM768 and SecP384r1MLKEM1024 as we are not planning to support them.

I don't care about what other people do. If someone want to use (semi-)static keys for performance or visibility, that is fine with me as long as I have the option to not communicate with such implementations.

I see three solutions:

1. Add normative text for X25519MLKEM768, MUST NOT reuse key share.
2. Add signaling that the key share is reused so peers have the option to abort the connection (similar to draft-rhrd-tls-tls13-visibility).
3. Register two different X25519MLKEM768 groups. One forbidding reuse and one allowing reuse (similar to TLS_ECDHE_ECDSA vs. TLS_ECDH_ECDSA).

I find the current situation of key shares being reused without the other peer knowing inacceptable and frankly the worst possible option.

As the old PRs were closed in the hope the issue was already solved and changes to draft-ietf-tls-hybrid-design does not solve the issue unless normatively referenced form draft-kwiatkowski-tls-ecdhe-mlkem, I opened a new issue.
https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem/issues/34

Cheers,
John

On 2024-12-25, 07:08, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:
Internet-Draft draft-kwiatkowski-tls-ecdhe-mlkem-03.txt is now available.

   Title:   Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
   Authors: Kris Kwiatkowski
            Panos Kampanakis
            Bas Westerbaan
            Douglas Stebila
   Name:    draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
   Pages:   9
   Dates:   2024-12-24

Abstract:

   This draft defines three hybrid key agreements for TLS 1.3:
   X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 which
   combine a post-quantum KEM with an elliptic curve Diffie-Hellman
   (ECDHE).

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-03.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-kwiatkowski-tls-ecdhe-mlkem-03

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts

v2.29.0 | Report a Bug | By Email | System Status