Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt

["Kampanakis, Panos" <kpanos@amazon.com>]

> So, while I'm not that enthusiastic about paying a few K, I think on balance it's a better than doing this kind of major rearchitecture of TLS.

+1. KEMTLS is a great scheme but significantly changes the TLS state machine. It introduces implicit and explicit auth concepts which do not exist in TLS 1.3 and would need further security proofs and study. Also, it may save ~1-2KB of data (Falcon, Dilithium assumed), but still uses PQ Sigs in the PKI which means we go to 10+ KB for the cert chain. So we alleviate 1-2KB, but still have to deal with 10+. Also note ia.cr/2019/1447<https://ia.cr/2019/1447> which makes the argument that the more the data the more the slowdown in lossy environments (which intuitively makes sense as the loss probability (1-(1-p)n) increases with more packets). Imo the draft-celi-wiggers-tls-authkem should be considered for future versions of TLS as the drastic changes do not justify the marginal benefit.

And a couple of comments regarding Ekr’s points:

> - If you are doing TLS over TCP, then the server can use IW10 as specified in RFC 6928. This will allow the server's first flight to be about 14 KB, which should be large enough.

That is not completely accurate. The smallest Dilithium parameters will fit in 10MSS only when doing plain TLS (no SCTs, no OCSP staples) with up to 2 ICAs. Anything else will go beyond 14KB. Now if we talk web (include SCTs), then only 1 ICA would fit with Dilithium-II.

Having said that, if we talk about the other lattice based NIST PQ Sig Finalist, Falcon-512, then there are more TLS cases (up to 3 ICAs) where the data would fit in an TCP initcwnd.  For Falcon-1024 that is not the case either.

> - If you are doing QUIC, then the server is restricted to 3x the client's initial message, which is potentially a problem with very large server first flights, but the client can add extra bytes to its Initial messages to increase the limit [0]

Padding to the client initial message to 1200B would mean the QUIC amplification attack protection would kick in for any PQ KEM Round 3 Finalist and any PQ Sig Finalist, even Falcon-512 which is the smallest one. The smallest PQ Sig will still be >3x when used with X25519+the biggest PQ KEM Finalists. I am not sure what dummy key exchange data and how much of it someone could put in the client message in order to reach 2.5KB in the request in order for the response to fit in the 3x2.5 window necessary (assuming 2 ICAs).

I think the best answer to the extra round-trip problems which are inevitable for PQ Sigs (as shown in ia.cr/2020/071<https://ia.cr/2020/071> , dl.acm.org/<https://dl.acm.org/doi/10.1145/3386367.3431305>doi<https://dl.acm.org/doi/10.1145/3386367.3431305>/10.1145/3386367.3431305<https://dl.acm.org/doi/10.1145/3386367.3431305>) is Martin’s draft-<https://datatracker.ietf.org/doc/html/draft-thomson-tls-sic>thomson<https://datatracker.ietf.org/doc/html/draft-thomson-tls-sic>-<https://datatracker.ietf.org/doc/html/draft-thomson-tls-sic>tls<https://datatracker.ietf.org/doc/html/draft-thomson-tls-sic>-sic<https://datatracker.ietf.org/doc/html/draft-thomson-tls-sic> which should be revived imo.

Cert compression will not help as these big certs mostly consist of big keys or sigs which are random sequences and thus do not benefit from compression.

Rgs,
Panos






From: TLS <tls-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Monday, July 12, 2021 9:10 PM
To: Douglas Stebila <dstebila@gmail.com>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: RE: [EXTERNAL] [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.




On Mon, Jul 12, 2021 at 5:58 PM Douglas Stebila <dstebila@gmail.com<mailto:dstebila@gmail.com>> wrote:
Hi Eric,

The main motivation is that, in some cases, post-quantum signatures are larger in terms of communication size compared to a post-quantum KEM, under the same cryptographic assumption.

For example, the KEM Kyber (based on module LWE) at the 128-bit security level has 800-byte public keys and 768-byte ciphertexts.  The matching signature scheme Dilithium (also based on module LWE) has 1312-byte public keys and 2420-byte signatures.  Doing KEM-based server authentication rather than signature-based server authentication would thus save 2164 bytes per handshake.

Doug,

Thanks for the explanation.

I agree that all things being equal it's good to save bytes, but in this case, I think this is the wrong tradeoff.

In general, TLS handshake latency is dominated not by message size but by the number of round trips you have to use to perform the handshake, which is only loosely coupled to the number of bytes.

Specifically:
- If you are doing TLS over TCP, then the server can use IW10 as specified in RFC 6928. This will allow the server's first flight to be about 14 KB, which should be large enough.
- If you are doing QUIC, then the server is restricted to 3x the client's initial message, which is potentially a problem with very large server first flights, but the client can add extra bytes to its Initial messages to increase the limit [0]

And of course, there are mechanisms for shrinking the handshake, such as RFC 8879 certificate compression or draft=thomson-tls-sic.

So, while I'm not that enthusiastic about paying a few K, I think on balance it's a better than doing this kind of major rearchitecture of TLS.

-Ekr

[0] Or the server can send a Retry packet, incurring a round trip, but this only needs to be done the first time as long as the client's IP doesn't change.


> On Jul 12, 2021, at 20:30, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
>
> Hi folks,
>
> I have just given draft-celi-wiggers-tls-authkem-00.txt a quick
> read. I'm struggling a bit with the rationale, which I take to be
> these paragraphs:
>
>    In this proposal we use the DH-based KEMs from [I-D.irtf-cfrg-hpke].
>    We believe KEMs are especially worth discussing in the context of the
>    TLS protocol because NIST is in the process of standardizing post-
>    quantum KEM algorithms to replace "classic" key exchange (based on
>    elliptic curve or finite-field Diffie-Hellman [NISTPQC]).
>
>    This proposal draws inspiration from [I-D.ietf-tls-semistatic-dh],
>    which is in turn based on the OPTLS proposal for TLS 1.3 [KW16].
>    However, these proposals require a non-interactive key exchange: they
>    combine the client's public key with the server's long-term key.
>    This imposes a requirement that the ephemeral and static keys use the
>    same algorithm, which this proposal does not require.  Additionally,
>    there are no post-quantum proposals for a non-interactive key
>    exchange currently considered for standardization, while several KEMs
>    are on the way.
>
> I see why this motivates using a KEM for key establishment, but I'm
> not sure it motivates this design, which seems like a fairly radical
> change to TLS. As I understand the situation, in the post-quantum
> world we're going to have:
>
> - non-interactive KEMs (as you indicate above)
> - some sort of signature system (otherwise we won't have certificates).
>
> This certainly argues that we need a KEM for key establishment, but
> not for authentication. Instead, why can't we use signatures for
> authentication, as TLS does today? I.e., the certificates would have a
> (potentially post-quantum) signing key in them and you then use the
> KEM for key establishment and the signing key for authentication.
> That would give us a design much closer to the present TLS 1.3
> (effectively just defining a new group for the KEM).
>
> What am I missing?
>
> -Ekr
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org<mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls