Re: [TLS] ML-KEM key agreement for TLS 1.3
Deirdre Connolly <durumcrustulum@gmail.com> Thu, 14 March 2024 19:55 UTC
Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42404C14F6A5 for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 12:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.854
X-Spam-Level:
X-Spam-Status: No, score=-6.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLHyuN_rR4lC for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 12:55:41 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF8BBC14F6A2 for <tls@ietf.org>; Thu, 14 Mar 2024 12:55:40 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-5687e7662a5so1906204a12.0 for <tls@ietf.org>; Thu, 14 Mar 2024 12:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710446139; x=1711050939; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6vaEqYaCk3J+sqeR0CYq9xMMBkZwZnxVq7eRcx8gsAQ=; b=UkBe9cYc18NOLSyBxvtZ0hl7JM0YC1v8m9U80w95YUQai2nuEY0AYHFbnLvWQ50OCx AVDZYzZLVPK/O/P+4UTndY+b4lkIKjgzlikIm1jHnfpfNobgEv+jNrtHlZ6gxmaRm3gs jUaHkTF1SexNp8u2e+qxQd49rC4KNXmTOD88o4w78/xeoeEGxjx+v1RsZtbC2QnFwM3R 783alWNzhjevde8ztJe/i+V+Zjg2ZAKHmwaqTDWghQrhuZlB/++G3yf+BOFA0q9RFv62 a0ei+kcCNPyOkKOTNWZuFUTzm4027zB4y2C+GZI+OZx4xx5bdbpn/idZo+fyLkFOSSGh 9NPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710446139; x=1711050939; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6vaEqYaCk3J+sqeR0CYq9xMMBkZwZnxVq7eRcx8gsAQ=; b=O3sL48yf2xcRfgG9wIK1nEZAdehjtwz/E0bM6Q9/oMmDxAXXjZ3jDsbfe/3MusXNZu /erObbYJi73ciE0wqNCZ81AuHv/rPdE8BUl1v9cXP9TTDwxyEm22qCrvZb4gHmG2jEE9 WHMb3yTBSvOwU2FMN16fB4Yzvn+vzsq3avSV3y0EFImA6EnCP2wvUxTuS7wXZNXkOaYG JFkqW6m5eOwmrIx+iKhNshi0A/5eF285l1as01CSnV4gQTuuoe+BfufMr7LaOL7rYxgR J8ky7H4xzC2Kccr7t+Fr3wH06N00NvgK8TMcjcwQVrm+hjONAV1r+Irk8BmLaemPkS1x heGQ==
X-Gm-Message-State: AOJu0Yz+GCSizlFsxqwhCWnDoEn9bSj3X12Z12m2wvaLEWeg5NYoYxdm IQsokE0MwDVUCw8lE/IiljFcjmKdAbRRg+LwpvqV8dJaItC8oPBOd5ywc9EXYZJa3MyO/x+fIYV IWbg7xtDjURx9sQJ1/MJGOIN3QQo=
X-Google-Smtp-Source: AGHT+IHj5gxivfGnMMnaZGYQJ1Hbhz+HwdrCYFcKF/4Oj7Fd9lz0me6E0iHfSczkjczr9dnRkozSlCZFPoP6mMQh5gM=
X-Received: by 2002:a05:6402:501e:b0:566:f5d6:4b4 with SMTP id p30-20020a056402501e00b00566f5d604b4mr2266262eda.12.1710446138556; Thu, 14 Mar 2024 12:55:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CAFR824ySu7+kA4a_3n9ytg6=3Ow-CPHR+dUJxYOhyh3wOnt1VQ@mail.gmail.com>
In-Reply-To: <CAFR824ySu7+kA4a_3n9ytg6=3Ow-CPHR+dUJxYOhyh3wOnt1VQ@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thu, 14 Mar 2024 15:55:26 -0400
Message-ID: <CAFR824zECKWMS=EH3pPnPfqeavAQVgZXm2+LLBSMwuFfSr9Lyw@mail.gmail.com>
To: Rebecca Guthrie <rmguthr@uwe.nsa.gov>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007f09830613a446f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OExWcM5ZMH8QoUK4Y1ZlWD_2kzg>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 19:55:42 -0000
Whoops, I copy-pasted the wrong section, this is the definition for 'decrypt_error': > decrypt_error: A handshake (not record layer) cryptographic operation failed, including being unable to correctly verify a signature or validate a Finished message or a PSK binder. On Wed, Mar 13, 2024, 10:08 PM Deirdre Connolly <durumcrustulum@gmail.com> wrote: > Thank you very much for the notes! > > A few specific comments: > > > >> 1. In Section 1.1 (or Introduction - Motivation in the github version), I >> would suggest that the second sentence ("Having a fully post-quantum...") >> is not needed, i.e. that there need not be a justification for why it is >> necessary to specify how to use ML-KEM in TLS 1.3 (vs. hybrid). It could be >> appropriate to contextualize the specification of ML-KEM w.r.t the advent >> of a CRQC, though I also don't think that is necessary. As an example, we >> can compare to the Introduction in draft-ietf-lamps-cms-kyber-03. > > > Noted, tweaked on github slightly. > > > >> 2. Section 3 (Construction on github) currently reads, "We align with >> [hybrid] except that instead of joining ECDH options with a KEM, we just >> have the KEM as a NamedGroup." I think it is a more useful framing to base >> this specification (for the use of a standalone algorithm) off of RFC 8446 >> instead of the draft spec for a hybrid solution. I understand wanting to >> align the approach with the approach taken for the hybrid solution, but I >> don't think that fact needs to be explicitly documented in this draft. When >> this draft is standardized, I think it's important that it is able to be >> read, understood, and implemented without needing to refer to the hybrid >> draft. It could be stated (how it is in the hybrid draft), "ML-KEM-512 (if >> included), ML-KEM-768, and ML-KEM-1024 are represented as a NamedGroup and >> sent in the supported_groups extension." > > > Good point, tweaked 👍 > > 3. On a related note, the hybrid draft says, "Note that TLS 1.3 uses the >> phrase "groups" to refer to key exchange algorithms -- for example, the >> supported_groups extension -- since all key exchange algorithms in TLS 1.3 >> are Diffie-Hellman-based. As a result, some parts of this document will >> refer to data structures or messages with the term "group" in them despite >> using a key exchange algorithm that is not Diffie-Hellman-based nor a >> group." >> This seems okay, but on the IANA registry for TLS Supported Groups, it >> indicates 0-255 and 512-65535 are for elliptic curve groups, and 256-511 >> are for FFDH groups. Where does ML-KEM fit in? Do ranges need to be >> re-evaluated? As an example, for IKEv2, RFC 9370 changes the name of >> Transform Type 4 from Diffie-Hellman Group to Key Exchange Method in order >> to accommodate QR KEMs. > > > This is a good point: -hybrid-design allocates 0x6399 and 0x639A for the > two hybrid `NamedGroup`s so far. I don't have a strong opinion here, I > basically followed -hybrid-design's lead and picked 0x0768 and 0x1024 for > ML-KEM-768 and ML-KEM-1024. > > > >> 4. In the Discussion section (on github), does the portion on failures >> need to contain more information about how a failure should be handled in >> TLS? Should a decrypt_error alert be sent? > > > Oh very good point, DH doesn't usually fail like this; either because of > fundamental (incredibly unlikely) decapsulation failure rates, or just a > bug, this is good to handle, and we should probably update -hybrid-design > to match. I've tracked this in this GitHub issue > <https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/issues/1> > for now. For my own sake, here's the `decode_error` defintion from RFC > 8446: > > decode_error: A message could not be decoded because some field was > > out of the specified range or the length of the message was > > incorrect. This alert is used for errors where the message does > > not conform to the formal protocol syntax. This alert should > > never be observed in communication between proper implementations, > > except when messages were corrupted in the network. > > > > 5. In Section 4 (or Security Considerations on github), this may be a >> silly question, but is the definition of "commits" well-understood (in the >> first sentence on datatracker; in the first sentence of Binding properties >> on github)? It is not used in RFC 8446 so it might be worth explaining the >> meaning or using different phrasing in this sentence. > > > Noted > <https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/issues/2>; I > will either define in-line or consistently use 'bind' in the X-BIND-P-Q > sense (RFC 8446 uses 'bind' with the same colloquial sense but does not > appear to define it). > > On Wed, Mar 13, 2024 at 5:36 PM Rebecca Guthrie <rmguthr@uwe.nsa.gov> > wrote: > >> Greetings Deirdre and TLS, >> >> >> >> I read through draft-connolly-tls-mlkem-key-agreement-00 (and >> https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/blob/main/draft-connolly-tls-mlkem-key-agreement.md) >> and I have a few comments. First, though, I want to say thank you for >> writing this draft. I'll echo some of what has already been voiced on this >> thread and say that, while some plan to use composite key establishment, it >> makes sense to also specify the use of standalone ML-KEM in TLS 1.3 as >> another option. Other WGs (lamps and ipsecme) have already begun to specify >> the use of standalone FIPS 203, 204, and 205 in various protocols. With >> respect to this draft, there is certainly interest from National Security >> System vendors in using standalone ML-KEM-1024 in TLS 1.3 for CNSA 2.0 >> compliance (as CNSA 2.0 does not require nor recommend hybrid solutions for >> security). >> >> >> >> A few specific comments: >> >> >> >> 1. In Section 1.1 (or Introduction - Motivation in the github version), I >> would suggest that the second sentence ("Having a fully post-quantum...") >> is not needed, i.e. that there need not be a justification for why it is >> necessary to specify how to use ML-KEM in TLS 1.3 (vs. hybrid). It could be >> appropriate to contextualize the specification of ML-KEM w.r.t the advent >> of a CRQC, though I also don't think that is necessary. As an example, we >> can compare to the Introduction in draft-ietf-lamps-cms-kyber-03. >> >> >> >> 2. Section 3 (Construction on github) currently reads, "We align with >> [hybrid] except that instead of joining ECDH options with a KEM, we just >> have the KEM as a NamedGroup." I think it is a more useful framing to base >> this specification (for the use of a standalone algorithm) off of RFC 8446 >> instead of the draft spec for a hybrid solution. I understand wanting to >> align the approach with the approach taken for the hybrid solution, but I >> don't think that fact needs to be explicitly documented in this draft. When >> this draft is standardized, I think it's important that it is able to be >> read, understood, and implemented without needing to refer to the hybrid >> draft. It could be stated (how it is in the hybrid draft), "ML-KEM-512 (if >> included), ML-KEM-768, and ML-KEM-1024 are represented as a NamedGroup and >> sent in the supported_groups extension." >> >> >> >> 3. On a related note, the hybrid draft says, "Note that TLS 1.3 uses the >> phrase "groups" to refer to key exchange algorithms -- for example, the >> supported_groups extension -- since all key exchange algorithms in TLS 1.3 >> are Diffie-Hellman-based. As a result, some parts of this document will >> refer to data structures or messages with the term "group" in them despite >> using a key exchange algorithm that is not Diffie-Hellman-based nor a >> group." >> >> This seems okay, but on the IANA registry for TLS Supported Groups, it >> indicates 0-255 and 512-65535 are for elliptic curve groups, and 256-511 >> are for FFDH groups. Where does ML-KEM fit in? Do ranges need to be >> re-evaluated? As an example, for IKEv2, RFC 9370 changes the name of >> Transform Type 4 from Diffie-Hellman Group to Key Exchange Method in order >> to accommodate QR KEMs. >> >> >> >> 4. In the Discussion section (on github), does the portion on failures >> need to contain more information about how a failure should be handled in >> TLS? Should a decrypt_error alert be sent? >> >> >> >> 5. In Section 4 (or Security Considerations on github), this may be a >> silly question, but is the definition of "commits" well-understood (in the >> first sentence on datatracker; in the first sentence of Binding properties >> on github)? It is not used in RFC 8446 so it might be worth explaining the >> meaning or using different phrasing in this sentence. >> >> >> >> Also, what are the WG's thoughts on including standalone PQC signatures >> in the same draft? >> >> >> >> Thanks in advance! >> >> >> >> Rebecca >> >> >> >> Rebecca Guthrie >> >> she/her >> >> Center for Cybersecurity Standards (CCSS) >> >> Cybersecurity Collaboration Center (CCC) >> >> National Security Agency (NSA) >> >> >> >> From: TLS <tls-bounces@ietf.org> On Behalf Of Deirdre Connolly >> Sent: Tuesday, March 5, 2024 9:15 PM >> To: TLS@ietf.org >> Subject: [TLS] ML-KEM key agreement for TLS 1.3 >> >> >> >> I have uploaded a preliminary version of ML-KEM for TLS 1.3 >> <https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/> >> and have a more fleshed out >> <https://github.com/dconnolly/draft-tls-mlkem-key-agreement> version to >> be uploaded when datatracker opens. It is a straightforward new >> `NamedGroup` to support key agreement via ML-KEM-768 or ML-KEM-1024, in a >> very similar style to -hybrid-design >> <https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/>. >> >> >> >> It will be nice to have pure-PQ options (that are FIPS / CNSA 2.0 >> compatible) ready to go when users are ready to use them. >> >> >> >> Cheers, >> >> Deirdre >> >
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Kris Kwiatkowski
- [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Andrey Jivsov
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Ilari Liusvaara
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Watson Ladd
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Orie Steele
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Bas Westerbaan
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Rob Sayre
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Salz, Rich
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 John Mattsson
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Rebecca Guthrie
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Eric Rescorla
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Dennis Jackson
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Sofía Celi
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 David A. Cooper
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 D. J. Bernstein
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Bas Westerbaan
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Eric Rescorla
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Deirdre Connolly
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Sophie Schmieg
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Stephen Farrell
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Watson Ladd
- Re: [TLS] ML-KEM key agreement for TLS 1.3 Loganaden Velvindron
- Re: [TLS] [EXT] Re: ML-KEM key agreement for TLS … Blumenthal, Uri - 0553 - MITLL