IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Deirdre Connolly <durumcrustulum@gmail.com> Thu, 14 March 2024 12:53 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA812C14F618 for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 05:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOC084J2zTVy for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 05:53:11 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80B9AC14F5EE for <tls@ietf.org>; Thu, 14 Mar 2024 05:53:11 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-568a5114881so439092a12.1 for <tls@ietf.org>; Thu, 14 Mar 2024 05:53:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710420789; x=1711025589; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=79zmlksA0D3S47P8LFOZUrR3ypSS7oZtkvrfuk/rwLY=; b=dcwC8S3Tj1cs3cLSfn6jJ5gNHTSW4rAgwODhxyFgV6h7rrt4y/m+AXNaVMA0IBn1Yy 66z28DGcLTrBloQzgTqbwSVm5MVxjw8YBapYMOWqVKXFnkYXt4dYhfe8mdcNnJ4QmXzw DsPYZC9OjjDKThCS22kup5Nyl6a5yoQDy3U94oaX/9TZgfXgfjQ1j960VzoomG2re1RH RyLLwQLBhX6qjwFhEs+W+G354mgOI9rafkc8OSRUJy28trOGfecb4T0YkSD+V4k3cUvV kvTgRo+3N5a4OYuC8DOdbJJoZ4rgig7xFZYEswjhlNIrBHOrCu/MOYNshqBy82anTsD0 JmUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710420789; x=1711025589; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=79zmlksA0D3S47P8LFOZUrR3ypSS7oZtkvrfuk/rwLY=; b=dqW7hFQiOGpiVNV4iGaAh1DM0zuq+CE8pI8bxolrTB55fmhZ/yTBmcP6tXEt2BULFe N1IqMh7+9D9tijRA9t/D1xanYq100Cqntggn8VPAy6xRSMPJ8DmvN31VSfzQx6gRJF5y EzKzf4xLLi/da8cUqXTFC4TrrGz5qvrdOH/jaS1bmBHE2TZO+T3IJ/uSQQ4toLiWot5t 6ENN7GhorVchhgYtRtdOMyzf+7Gv5OeUxdTYrD6F64RGt8Fxx55uT6s1OI1U+rFn34Up cvMIzphW2lsV3w6mjZPHsf1+MeCXNd8r0JEzmGmqPAV2hapdabPKyf83qjKO+TXp36lh zCgw==
X-Gm-Message-State: AOJu0YyVFZyAaRIt+CApB5wvdNHlJ1BDmxsl9/ckyVvhrMUyvzjZp4ay DXmWBnlwmtsleIBgi9XIb4fNoSLx/n+8z6AphiPYq0uaRAMBoDcmfTIYlP/OLY2A53TfDKanhLe JijybZ2Wnau3NDB+h6naEL8yWj46Y2+hATw8=
X-Google-Smtp-Source: AGHT+IGoBEXfsZCaQL99toqcopjLCdm3ap5lbTWFIXRTnH5qs3Bl1ZHmSgar3rJbCiFr7+Gp971Q8WkmOJJoIVMgGqk=
X-Received: by 2002:aa7:d742:0:b0:568:3067:5191 with SMTP id a2-20020aa7d742000000b0056830675191mr982495eds.38.1710420787973; Thu, 14 Mar 2024 05:53:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CABcZeBO2sobjXJzW_FNXhfU_vspsr+9YLfcH5zG_JHTX65Os=Q@mail.gmail.com> <CAFR824xo9bL3S_r-GWSkEPhxTQ5yKiDmR4dxwy1LKq0rDCJQOQ@mail.gmail.com> <CAFR824yVjF3YNcwuqqzGnw1X4-j-w_x02ZnuBMKMZUTcXNknuQ@mail.gmail.com> <d6182f53-3ec0-4275-8da0-317f2c7c88ec@dennis-jackson.uk>
In-Reply-To: <d6182f53-3ec0-4275-8da0-317f2c7c88ec@dennis-jackson.uk>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thu, 14 Mar 2024 08:52:30 -0400
Message-ID: <CAFR824zk=SEkRcX0fiSm62xZ=KhX953Hvm+xpYW2isyzroAfbA@mail.gmail.com>
To: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007bd83f06139e5fc4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MRV8qdzohz7h-aoURKWiVc1OWZA>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 12:53:12 -0000

I would argue adding `ML-KEM` as a standalone NamedGroup is not more
complex than adding ECDH groups, the hybrid part is the already complex
part. To minimize complexity even more, one can 'just' do the X-Wing style
of having a hybrid NamedGroup that doesn't know anything about the other
available component NamedGroups, ie, no shared ephemeral ECDH or KEM
keypairs: less complex, a little more compute. I want there to be an option
to negotiate ML-KEM alone, and turn off / not compile in the hybrid
NamedGroups if I want to in my TLS 1.3 stack, and I think there will be a
non-trivial user base for such an option very soon.




On Thu, Mar 14, 2024 at 7:34 AM Dennis Jackson <ietf=
40dennis-jackson.uk@dmarc.ietf.org> wrote:

> On 14/03/2024 01:41, Deirdre Connolly wrote:
>
> Oh and one more consideration: hybrid brings complexity, and presenting
> the pure-PQ solutions and their strictly lesser complexity (at the tradeoff
> of maybe taking more risk against newer schemes no matter how good we feel
> about their fundamental cryptographic foundations) is worthwhile in my
> opinion.
>
> On Wed, Mar 13, 2024 at 9:39 PM Deirdre Connolly <durumcrustulum@gmail.com>
> wrote:
>
>> [...] Shaking out all the negotiation decisions is desirable as well as
>> 'drawing the rest of the owl' for the pure PQ option implied in the
>> negotiation (are we going to copy the same ~1000 bytes for the PQ and
>> hybrid name groups, when sharing an ephemeral KEM keypair?).
>>
> This is an argument that supporting PQ-only and PQ-hybrid simultaneously
> will be more complex than just PQ-hybrids and require further changes at
> the TLS layer.
>
> Given we've already paid the (minimal) complexity cost of hybrids and
> switching to PQ-only seems strictly less secure, I'm really struggling to
> see the motivation at this point in time. Once we're in a position to
> remove the classical key exchanges from TLS entirely because we know
> they're ineffective, switching to PQ-only might then have more benefit
> since we could retire a lot of old code.
>
>
>> For CNSA 2.0, it is cited not as a compatibility _requirement_ of TLS,
>> but a note that a non-trivial segment of users of standard TLS that have
>> been traditionally compliant will not be in a few years, and they will come
>> knocking anyway. This is trying to skate where the puck is going.
>>
>> But also, the fact that CNSA 2.0 explicitly requires ML-KEM _only_ key
>> agreement in the next ~6-9 years is a strong vote of confidence in any
>> protocol doing this at all, so, TLS wouldn't be out on a limb to support
>> this, basically.
>>
>> I don't have a strong opinion on whether this should be Recommended = Y.
>>
>> On Wed, Mar 13, 2024 at 6:42 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>>
>>>
>>> On Wed, Mar 13, 2024 at 2:36 PM Rebecca Guthrie <rmguthr=
>>> 40uwe.nsa.gov@dmarc.ietf.org> wrote:
>>>
>>>> Greetings Deirdre and TLS,
>>>>
>>>>
>>>>
>>>> I read through draft-connolly-tls-mlkem-key-agreement-00 (and
>>>> https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/blob/main/draft-connolly-tls-mlkem-key-agreement.md)
>>>> and I have a few comments. First, though, I want to say thank you for
>>>> writing this draft. I'll echo some of what has already been voiced on this
>>>> thread and say that, while some plan to use composite key establishment, it
>>>> makes sense to also specify the use of standalone ML-KEM in TLS 1.3 as
>>>> another option. Other WGs (lamps and ipsecme) have already begun to specify
>>>> the use of standalone FIPS 203, 204, and 205 in various protocols. With
>>>> respect to this draft, there is certainly interest from National Security
>>>> System vendors in using standalone ML-KEM-1024 in TLS 1.3 for CNSA 2.0
>>>> compliance (as CNSA 2.0 does not require nor recommend hybrid solutions for
>>>> security).
>>>>
>>>
>>> I wanted to address this CNSA 2.0 point, as I've now seen it brought up
>>> a couple of times.
>>>
>>> The IETF, together with the IRTF, needs to make an independent judgement
>>> on whether using PQ-only algorithms is advisable, and if we do not think
>>> so, then we should not standardize them, regardless of what CNSA 2.0
>>> requires. The supported groups registry policies are designed explicitly to
>>> allow people to register non Standards Track algorithms, so nothing
>>> precludes the creation of an ML-KEM only code point if some vendors find
>>> that necessary, without the IETF standardizing them or marking them as
>>> Recommended=Y.
>>> -Ekr
>>>
>>>
>>>
>>>
>>>>
>>>> A few specific comments:
>>>>
>>>>
>>>>
>>>> 1. In Section 1.1 (or Introduction - Motivation in the github version),
>>>> I would suggest that the second sentence ("Having a fully post-quantum...")
>>>> is not needed, i.e. that there need not be a justification for why it is
>>>> necessary to specify how to use ML-KEM in TLS 1.3 (vs. hybrid). It could be
>>>> appropriate to contextualize the specification of ML-KEM w.r.t the advent
>>>> of a CRQC, though I also don't think that is necessary. As an example, we
>>>> can compare to the Introduction in draft-ietf-lamps-cms-kyber-03.
>>>>
>>>>
>>>>
>>>> 2. Section 3 (Construction on github) currently reads, "We align with
>>>> [hybrid] except that instead of joining ECDH options with a KEM, we just
>>>> have the KEM as a NamedGroup." I think it is a more useful framing to base
>>>> this specification (for the use of a standalone algorithm) off of RFC 8446
>>>> instead of the draft spec for a hybrid solution. I understand wanting to
>>>> align the approach with the approach taken for the hybrid solution, but I
>>>> don't think that fact needs to be explicitly documented in this draft. When
>>>> this draft is standardized, I think it's important that it is able to be
>>>> read, understood, and implemented without needing to refer to the hybrid
>>>> draft. It could be stated (how it is in the hybrid draft), "ML-KEM-512 (if
>>>> included), ML-KEM-768, and ML-KEM-1024 are represented as a NamedGroup and
>>>> sent in the supported_groups extension."
>>>>
>>>>
>>>>
>>>> 3. On a related note, the hybrid draft says, "Note that TLS 1.3 uses
>>>> the phrase "groups" to refer to key exchange algorithms -- for example, the
>>>> supported_groups extension -- since all key exchange algorithms in TLS 1.3
>>>> are Diffie-Hellman-based.  As a result, some parts of this document will
>>>> refer to data structures or messages with the term "group" in them despite
>>>> using a key exchange algorithm that is not Diffie-Hellman-based nor a
>>>> group."
>>>>
>>>> This seems okay, but on the IANA registry for TLS Supported Groups, it
>>>> indicates 0-255 and 512-65535 are for elliptic curve groups, and 256-511
>>>> are for FFDH groups. Where does ML-KEM fit in? Do ranges need to be
>>>> re-evaluated? As an example, for IKEv2, RFC 9370 changes the name of
>>>> Transform Type 4 from Diffie-Hellman Group to Key Exchange Method in order
>>>> to accommodate QR KEMs.
>>>>
>>>>
>>>>
>>>> 4. In the Discussion section (on github), does the portion on failures
>>>> need to contain more information about how a failure should be handled in
>>>> TLS? Should a decrypt_error alert be sent?
>>>>
>>>>
>>>>
>>>> 5. In Section 4 (or Security Considerations on github), this may be a
>>>> silly question, but is the definition of "commits" well-understood (in the
>>>> first sentence on datatracker; in the first sentence of Binding properties
>>>> on github)? It is not used in RFC 8446 so it might be worth explaining the
>>>> meaning or using different phrasing in this sentence.
>>>>
>>>>
>>>>
>>>> Also, what are the WG's thoughts on including standalone PQC signatures
>>>> in the same draft?
>>>>
>>>>
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>>
>>>> Rebecca
>>>>
>>>>
>>>>
>>>> Rebecca Guthrie
>>>>
>>>> she/her
>>>>
>>>> Center for Cybersecurity Standards (CCSS)
>>>>
>>>> Cybersecurity Collaboration Center (CCC)
>>>>
>>>> National Security Agency (NSA)
>>>>
>>>>
>>>>
>>>> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of * Deirdre Connolly
>>>> *Sent:* Tuesday, March 5, 2024 9:15 PM
>>>> *To:* TLS@ietf.org
>>>> *Subject:* [TLS] ML-KEM key agreement for TLS 1.3
>>>>
>>>>
>>>>
>>>> I have uploaded a preliminary version of ML-KEM for TLS 1.3
>>>> <https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/>
>>>> and have a more fleshed out
>>>> <https://github.com/dconnolly/draft-tls-mlkem-key-agreement> version
>>>> to be uploaded when datatracker opens. It is a straightforward new
>>>> `NamedGroup` to support key agreement via ML-KEM-768 or ML-KEM-1024, in a
>>>> very similar style to -hybrid-design
>>>> <https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/>.
>>>>
>>>>
>>>>
>>>> It will be nice to have pure-PQ options (that are FIPS / CNSA 2.0
>>>> compatible) ready to go when users are ready to use them.
>>>>
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Deirdre
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>
> _______________________________________________
> TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email