Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 17 August 2022 20:38 UTC
Return-Path: <prvs=6228e8a2e6=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BD7C15257A; Wed, 17 Aug 2022 13:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIZn6Zob7uW5; Wed, 17 Aug 2022 13:38:34 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 965CFC152577; Wed, 17 Aug 2022 13:38:34 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX2.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 27HKcGr0137811 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 17 Aug 2022 16:38:16 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=jOlpBfSw7Eaq86jIdqhBuKD61rh/sikf3rt5agYr8UM2mdsA+cBF+DyhaQpAgD4KpLDGBaW9O7N0LvOjZG4AQz7vFgxDGN9UQ9jXZ+iQJmtGNuwd8Om1dbdhDt5tYoX23d0lo+px5YtLDadlMWWe3cVgnsnMVarT04skPRi/d57zG6wUYECON00lcruHIFIKvVTjJt+CnYnlAru50gHmYX5PIw79JrZa+31h7mA/D41oIW22uYPB52ljo8pxqVykenYcMwtXSOkniJDUKRybwQooPo3R6Ot8Af98pWZUUNcvxjUSEpf8JZILPdxuZ/bp+YP5JLgdW3sv+GTQ1/0b3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a62iF8RIHRISWb3C1bLEGBlfGwa/8AFSx2jSKnHbes4=; b=saFG6AaVeikOF2PDvNBw8z+GpH+NQksBEcGX8x9L7PHW7zg8fcGU0GihT7PrHjLyDBaQFjbb3UALRNYeYpslAQXJCZKELdZgZiXsWhR/OARmQ4QoIGOdvSR9agHJuUd4lUatE+XlpM+1gbayw09CcGJkGFLYF14//7J78ApOmVdXbCOurH/6cdxE5jijlkGOKnzO9sqtOCQMZvdBLp1Rh21fncd5JKqg9qbjiiUaBS05io4oA17S88XdcIM2GhxnkK84E+3bFBp7vkSSk+Qu340hDJEvgT1wA/LdCB0UN5VQJJ+aw+WNr7ylyCzIJgSGh6w/nrR1/oJj0sj2mhkP4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Kris Kwiatkowski <kris@amongbytes.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] WGLC for draft-ietf-tls-hybrid-design
Thread-Index: AQHYWktvUxdKiyH7R0WiPoK6lwjmCq0HnNsAgACRXACAAHDOgICjmuEAgAFfooCABorgAIAABt+AgAAPUQD//8BMAA==
Date: Wed, 17 Aug 2022 20:38:13 +0000
Message-ID: <AF9615F5-7022-44BD-ACB0-1E1AD29C098B@ll.mit.edu>
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <Yve/S5OoKZMnUjNz@LK-Perkele-VII2.locald> <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com> <680a267a-6cd1-cf70-8f01-c31d9e823025@amongbytes.com> <8d84f215ceec4e0c8da26d57f42ac61c@amazon.com>
In-Reply-To: <8d84f215ceec4e0c8da26d57f42ac61c@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc09a366-86f0-4c0c-d92d-08da809067bc
x-ms-traffictypediagnostic: BN0P110MB1610:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eNntlcWFxwKhJ8zugVWoqoQsM0p17VftmLSZff39HlX80n4b1xx78y/C0WKjXd9LrpPPaSwILvScKPX6B+Akq9fesfceKUK7kkf1FQeHHI1YDHTgtM/AA8LQGM5HDMKg2LvHaxyV9mmUJan+cuXszQY4MVIpwexMxG14hl+OvkabUc9RGIL5xzGVFxZBoshkbVVisNmEbGDFmfSPww//lZeCKYQ42n6EG80tHf6HvhWgaHlxQigexZUyR8pg3OaoyQ01yy5tgB5Lw0AyXNNgm/4i3N6ceLjqchj1di/Eu8oT5ROmH+c4cAL4+1mQjZTRRco983vSJmTmNucHe02VEZS0rohTSBK9CXdfUb/U6KVSYv/h6jxi98Cd+Z12tJZ/l9OVtJGqMisyEWC+FYijl1HhxKp5MJeNXrxrW4KklSfydDg93hd1RJnGPBRPguvWGK0HwD6hjo3itLnoM4Zz/sS+Tf8KqeTj0vy+C2J8pP1Lp3QYqh+wYN37BfC71Xgql62CLUB1s6hfus1SSxz1mlxHJ2xklHiwoHW/s7etDF2s6kvYzhOrgrQ6zRqYva6I8qZVz5MAEOFmRpEcQYE7biOol0YYUxFufo38BGfICeG9CXa/+MEz0IRaPOLNjI2f31jNGBAcv68YlhbDyvbfi7xdysDLVKKaUmpw/b+fOQzcHFaIQWudz0vMIVL4aIb1VO9+kPOw+cenXypvB/oDpNz7RAYcBgszRgW90avPAog=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(53546011)(2616005)(33656002)(6512007)(26005)(6506007)(186003)(2906002)(86362001)(38070700005)(38100700002)(83380400001)(122000001)(99936003)(8676002)(5660300002)(110136005)(66946007)(498600001)(64756008)(8936002)(66446008)(71200400001)(6486002)(76116006)(66556008)(66476007)(75432002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uOIKPzWGq/mewTxaYCWFIRT89ud/04+B6fd1pIWXTbdchLLrSHn0/TFU1jnp1t8txI7FDYlOl2hMqFUWkgSBqjOTll0QvuYAW7OyMtxYMGBjdN0GbTUHblrsWEFKEMb3VqNNSbBkUQint5mWd2fUAXEM2FdAII2/X2u51IKqhTl8T2S3EsIEOcVkyVOrkHyn54y1VDn1xVToo7x9JIJRf7AgzrlmIvVm6cb2kwLVHMTZ5CpJydWElO6I2RI+W7rvaPo2Mi1HAqLYIMraw3rp6ECL8WM3Y3Kc3BFTqIVDwBV0tkbdEZ/7AMF3s2koQw3l6bSqoHxrEn1gsoNSywq9BKitoog/4uD3WxAuZch33wofKlRa+aHWiLIYmtjJXclZ4fAkA178jt14z2zFCVx+PgBqdU22U5SJuCpzY0H3WtA=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3743599092_2536285692"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bc09a366-86f0-4c0c-d92d-08da809067bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2022 20:38:13.0265 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1610
X-Proofpoint-GUID: Bk8ysrYrLBjI8xUrOwRvBV-5QSBysqDO
X-Proofpoint-ORIG-GUID: Bk8ysrYrLBjI8xUrOwRvBV-5QSBysqDO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-17_14,2022-08-16_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 adultscore=0 suspectscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208170076
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Nmcx5TajdllRWuKQ_siesyvKZZg>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 20:38:39 -0000
+1 on the 3 proposed by Scott and P256+Kyber512 proposed by Kris. “Me too”: +1 to the above. From: TLS <tls-bounces@ietf.org> On Behalf Of Kris Kwiatkowski Sent: Wednesday, August 17, 2022 3:31 PM To: tls@ietf.org I support those choices, but would also add P256+Kyber512. * (1) same reason as below (by Scott) * (2) to be able to declare security of generated keys in FIPS-mode for _both_ - classical and post-quantum schemes (once Kyber is standardized). After double-checking with NIST today, currently there is no clear plan for updating SP 800-56A with X25519 (opposite to SP 800-186). Kind regards, Kris On 8/17/22 20:06, Scott Fluhrer (sfluhrer) wrote: So that we get an initial answer to this (so we can put it into the draft - of course, we can debate what's in the draft...) Illari suggested: X25519+Kyber768 P384+Kyber768 Well, I would suggest adding in X25519+Kyber512 For those situations where we need to limit the message size (perhaps DTLS and QUIC). Is the working group happy with that? -----Original Message----- From: TLS <tls-bounces@ietf.org> On Behalf Of Ilari Liusvaara Sent: Saturday, August 13, 2022 11:12 AM To: TLS@ietf.org Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design On Fri, Aug 12, 2022 at 06:13:38PM +0000, Scott Fluhrer (sfluhrer) wrote: Again, this is late, however Stephen did ask this to be discussed in the working group, so here we go: -----Original Message----- From: TLS <tls-bounces@ietf.org> On Behalf Of Stephen Farrell Sent: Saturday, April 30, 2022 11:49 AM To: Ilari Liusvaara <ilariliusvaara@welho.com>; TLS@ietf.org Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Hiya, On 30/04/2022 10:05, Ilari Liusvaara wrote: On Sat, Apr 30, 2022 at 01:24:58AM +0100, Stephen Farrell wrote: - section 5: IMO all combined values here need to have recommended == "N" in IANA registries for a while and that needs to be in this draft before it even gets parked. Regardless of whether or not the WG agree with me on that, I think the current text is missing stuff in this section and don't recall the WG discussing that I think that having recommended = Y for any combined algorithm requires NIST final spec PQ part and recommended = Y for the classical part (which allows things like x25519 to be the classical part). That is, using latest spec for NISTPQC winner is not enough. This impiles recommended = Y for combined algorithm is some years out at the very least. I agree, and something like the above points ought be stated in the draft after discussion in the WG. Section 5 is 'IANA considerations', and would be where we would list the various supported hybrids, which we don’t at the moment. Well, if we were to discuss some suggested hybrids (and we now know the NIST selection), I would suggest these possibilities: - X25519 + Kyber512 - P256 + Kyber512 - X448 + Kyber768 - P384 + Kyber768 I would take: X25519+Kyber768 P384+Kyber768 The reason for taking Kyber768 is because the CRYSTALS team recommends it. The reason for taking P384 is because it is CNSA-approved, so folks that need CNSA can use that. Of course, that is likely to bust packet size limits. I do not think that is an issue in TLS, but DTLS and QUIC might be another matter entierely (in theory DTLS and QUIC can handle it just fine, practice might be another matter entierely. And if such problems are there, it is good to know about those... This stuff is experimental). Of course, it's possible that NIST will tweak the definition of Kyber; that's just a possibility we'll need to live with (and wouldn't change what hybrid combinations we would initially define) I would think such changes would just mean the interim post-quantum kex is not compatible with the final one. Not that big of deal, there are tens of thoursands of free codepoints. If an implementation needs both, it can probably share vast majority of the code. -Ilari
- [TLS] WGLC for draft-ietf-tls-hybrid-design Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Nimrod Aviram
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Nimrod Aviram
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Douglas Stebila
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Russ Housley
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Florence D
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Jonathan Hammell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Bas Westerbaan
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kris Kwiatkowski
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kampanakis, Panos
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kampanakis, Panos
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Bas Westerbaan
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kris Kwiatkowski
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Sofía Celi
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kris Kwiatkowski
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Bas Westerbaan
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara