IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 17 August 2022 20:38 UTC

Return-Path: <prvs=6228e8a2e6=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BD7C15257A; Wed, 17 Aug 2022 13:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIZn6Zob7uW5; Wed, 17 Aug 2022 13:38:34 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 965CFC152577; Wed, 17 Aug 2022 13:38:34 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX2.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 27HKcGr0137811 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 17 Aug 2022 16:38:16 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=jOlpBfSw7Eaq86jIdqhBuKD61rh/sikf3rt5agYr8UM2mdsA+cBF+DyhaQpAgD4KpLDGBaW9O7N0LvOjZG4AQz7vFgxDGN9UQ9jXZ+iQJmtGNuwd8Om1dbdhDt5tYoX23d0lo+px5YtLDadlMWWe3cVgnsnMVarT04skPRi/d57zG6wUYECON00lcruHIFIKvVTjJt+CnYnlAru50gHmYX5PIw79JrZa+31h7mA/D41oIW22uYPB52ljo8pxqVykenYcMwtXSOkniJDUKRybwQooPo3R6Ot8Af98pWZUUNcvxjUSEpf8JZILPdxuZ/bp+YP5JLgdW3sv+GTQ1/0b3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a62iF8RIHRISWb3C1bLEGBlfGwa/8AFSx2jSKnHbes4=; b=saFG6AaVeikOF2PDvNBw8z+GpH+NQksBEcGX8x9L7PHW7zg8fcGU0GihT7PrHjLyDBaQFjbb3UALRNYeYpslAQXJCZKELdZgZiXsWhR/OARmQ4QoIGOdvSR9agHJuUd4lUatE+XlpM+1gbayw09CcGJkGFLYF14//7J78ApOmVdXbCOurH/6cdxE5jijlkGOKnzO9sqtOCQMZvdBLp1Rh21fncd5JKqg9qbjiiUaBS05io4oA17S88XdcIM2GhxnkK84E+3bFBp7vkSSk+Qu340hDJEvgT1wA/LdCB0UN5VQJJ+aw+WNr7ylyCzIJgSGh6w/nrR1/oJj0sj2mhkP4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Kris Kwiatkowski <kris@amongbytes.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] WGLC for draft-ietf-tls-hybrid-design
Thread-Index: AQHYWktvUxdKiyH7R0WiPoK6lwjmCq0HnNsAgACRXACAAHDOgICjmuEAgAFfooCABorgAIAABt+AgAAPUQD//8BMAA==
Date: Wed, 17 Aug 2022 20:38:13 +0000
Message-ID: <AF9615F5-7022-44BD-ACB0-1E1AD29C098B@ll.mit.edu>
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <Yve/S5OoKZMnUjNz@LK-Perkele-VII2.locald> <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com> <680a267a-6cd1-cf70-8f01-c31d9e823025@amongbytes.com> <8d84f215ceec4e0c8da26d57f42ac61c@amazon.com>
In-Reply-To: <8d84f215ceec4e0c8da26d57f42ac61c@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc09a366-86f0-4c0c-d92d-08da809067bc
x-ms-traffictypediagnostic: BN0P110MB1610:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eNntlcWFxwKhJ8zugVWoqoQsM0p17VftmLSZff39HlX80n4b1xx78y/C0WKjXd9LrpPPaSwILvScKPX6B+Akq9fesfceKUK7kkf1FQeHHI1YDHTgtM/AA8LQGM5HDMKg2LvHaxyV9mmUJan+cuXszQY4MVIpwexMxG14hl+OvkabUc9RGIL5xzGVFxZBoshkbVVisNmEbGDFmfSPww//lZeCKYQ42n6EG80tHf6HvhWgaHlxQigexZUyR8pg3OaoyQ01yy5tgB5Lw0AyXNNgm/4i3N6ceLjqchj1di/Eu8oT5ROmH+c4cAL4+1mQjZTRRco983vSJmTmNucHe02VEZS0rohTSBK9CXdfUb/U6KVSYv/h6jxi98Cd+Z12tJZ/l9OVtJGqMisyEWC+FYijl1HhxKp5MJeNXrxrW4KklSfydDg93hd1RJnGPBRPguvWGK0HwD6hjo3itLnoM4Zz/sS+Tf8KqeTj0vy+C2J8pP1Lp3QYqh+wYN37BfC71Xgql62CLUB1s6hfus1SSxz1mlxHJ2xklHiwoHW/s7etDF2s6kvYzhOrgrQ6zRqYva6I8qZVz5MAEOFmRpEcQYE7biOol0YYUxFufo38BGfICeG9CXa/+MEz0IRaPOLNjI2f31jNGBAcv68YlhbDyvbfi7xdysDLVKKaUmpw/b+fOQzcHFaIQWudz0vMIVL4aIb1VO9+kPOw+cenXypvB/oDpNz7RAYcBgszRgW90avPAog=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(53546011)(2616005)(33656002)(6512007)(26005)(6506007)(186003)(2906002)(86362001)(38070700005)(38100700002)(83380400001)(122000001)(99936003)(8676002)(5660300002)(110136005)(66946007)(498600001)(64756008)(8936002)(66446008)(71200400001)(6486002)(76116006)(66556008)(66476007)(75432002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uOIKPzWGq/mewTxaYCWFIRT89ud/04+B6fd1pIWXTbdchLLrSHn0/TFU1jnp1t8txI7FDYlOl2hMqFUWkgSBqjOTll0QvuYAW7OyMtxYMGBjdN0GbTUHblrsWEFKEMb3VqNNSbBkUQint5mWd2fUAXEM2FdAII2/X2u51IKqhTl8T2S3EsIEOcVkyVOrkHyn54y1VDn1xVToo7x9JIJRf7AgzrlmIvVm6cb2kwLVHMTZ5CpJydWElO6I2RI+W7rvaPo2Mi1HAqLYIMraw3rp6ECL8WM3Y3Kc3BFTqIVDwBV0tkbdEZ/7AMF3s2koQw3l6bSqoHxrEn1gsoNSywq9BKitoog/4uD3WxAuZch33wofKlRa+aHWiLIYmtjJXclZ4fAkA178jt14z2zFCVx+PgBqdU22U5SJuCpzY0H3WtA=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3743599092_2536285692"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bc09a366-86f0-4c0c-d92d-08da809067bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2022 20:38:13.0265 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1610
X-Proofpoint-GUID: Bk8ysrYrLBjI8xUrOwRvBV-5QSBysqDO
X-Proofpoint-ORIG-GUID: Bk8ysrYrLBjI8xUrOwRvBV-5QSBysqDO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-17_14,2022-08-16_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 adultscore=0 suspectscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208170076
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Nmcx5TajdllRWuKQ_siesyvKZZg>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 20:38:39 -0000

+1 on the 3 proposed by Scott and P256+Kyber512 proposed by Kris. 

 

“Me too”: +1 to the above.

 

From: TLS <tls-bounces@ietf.org> On Behalf Of Kris Kwiatkowski
Sent: Wednesday, August 17, 2022 3:31 PM
To: tls@ietf.org
I support those choices, but would also add P256+Kyber512.
* (1) same reason as below (by Scott)
* (2) to be able to declare security of generated keys in FIPS-mode for
      _both_ - classical and post-quantum schemes (once Kyber is standardized). 
After double-checking with NIST today, currently there is no clear plan for
updating SP 800-56A with X25519 (opposite to SP 800-186).

Kind regards,
Kris

On 8/17/22 20:06, Scott Fluhrer (sfluhrer) wrote:
So that we get an initial answer to this (so we can put it into the draft - of course, we can debate what's in the draft...)
 
Illari suggested:
 
X25519+Kyber768
P384+Kyber768
 
Well, I would suggest adding in
 
X25519+Kyber512
 
For those situations where we need to limit the message size (perhaps DTLS and QUIC).
 
Is the working group happy with that?
 
-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Ilari Liusvaara
Sent: Saturday, August 13, 2022 11:12 AM
To: TLS@ietf.org
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
 
On Fri, Aug 12, 2022 at 06:13:38PM +0000, Scott Fluhrer (sfluhrer) wrote:
Again, this is late, however Stephen did ask this to be discussed in the
working group, so here we go:
 
-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Stephen Farrell
Sent: Saturday, April 30, 2022 11:49 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>; TLS@ietf.org
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
 
 
Hiya,
 
On 30/04/2022 10:05, Ilari Liusvaara wrote:
On Sat, Apr 30, 2022 at 01:24:58AM +0100, Stephen Farrell wrote:
- section 5: IMO all combined values here need to have
recommended == "N" in IANA registries for a while and that needs
to be in this draft before it even gets parked. Regardless of
whether or not the WG agree with me on that, I think the current
text is missing stuff in this section and don't recall the WG
discussing that
 
I think that having recommended = Y for any combined algorithm
requires NIST final spec PQ part and recommended = Y for the
classical part (which allows things like x25519 to be the classical part).
 
That is, using latest spec for NISTPQC winner is not enough. This
impiles recommended = Y for combined algorithm is some years out
at the very least.
 
I agree, and something like the above points ought be stated in the
draft after discussion in the WG.
 
Section 5 is 'IANA considerations', and would be where we would list
the various supported hybrids, which we don’t at the moment.
 
Well, if we were to discuss some suggested hybrids (and we now know
the NIST selection), I would suggest these possibilities:
 
- X25519 + Kyber512
- P256 + Kyber512
- X448 + Kyber768
- P384 + Kyber768
 
I would take:
 
X25519+Kyber768
P384+Kyber768
 
The reason for taking Kyber768 is because the CRYSTALS team recommends
it. The reason for taking P384 is because it is CNSA-approved, so folks that
need CNSA can use that.
 
Of course, that is likely to bust packet size limits. I do not think that is an
issue in TLS, but DTLS and QUIC might be another matter entierely (in theory
DTLS and QUIC can handle it just fine, practice might be another matter
entierely. And if such problems are there, it is good to know about those...
This stuff is experimental).
 
 
Of course, it's possible that NIST will tweak the definition of Kyber;
that's just a possibility we'll need to live with (and wouldn't change
what hybrid combinations we would initially define)
 
I would think such changes would just mean the interim post-quantum kex is
not compatible with the final one. Not that big of deal, there are tens of
thoursands of free codepoints. If an implementation  needs both, it can
probably share vast majority of the code.
 
 
 
-Ilari

v2.23.0 | Report a Bug | By Email