IETF Logo Mail Archive

Re: [TLS] [EXT] Re: What is the TLS WG plan for quantum-resistant algorithms?

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 06 November 2023 22:29 UTC

Return-Path: <prvs=1674172e5b=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A9BC151993; Mon, 6 Nov 2023 14:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXgjdN6DGNhk; Mon, 6 Nov 2023 14:29:35 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3DD2C16F40A; Mon, 6 Nov 2023 14:29:34 -0800 (PST)
Received: from LLEX2019-1.mitll.ad.local ([172.25.4.123]) by MX3.LL.MIT.EDU (8.17.1.19/8.17.1.19) with ESMTPS id 3A6MSvlA125446 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 6 Nov 2023 17:28:57 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Rn/rKmPx3Kjft1wzj+66zjDGR+A5M5P6DowYidIAXfiGQxLAmShKiv5RIQQnSNdH1n34WeQusA0rX73ipTMZNxo43j0xP/l98mwRdytkDU3kr6rfW/n2CDnkLF/FdHUxAY563C5VsxrHCwSac9/E8LkhnmKnM6s8IbJRR03Iv9vViNfH5Plvwz1loCOzuaFkJFXWI8Sskn/p8iCvB8V6bcw/E5qAOOsylZnAbbkc9yM5FWtpTVp/GSuD/go94hbaRcq5Km1C7ACfYj0D+oNe0r9aD7n2MNYPGDZyXCjKdNxhkfvMm9Vwfek3nTP26fK+EwWAJPvt/GwnYeM6RRO8dA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZNEJ37Ghgc46FeAwjjdcdHJWluDpO88aivN+M9kN3pM=; b=LyVZT/AOtxXdRowEde+gIttoYDJVmrk87klSP2crNsmn2IXkmtqrFbkiZSiDde1rUCZqxRsc4B0TRkQ+VDtIk+PWfz9N7LRruXrreJSKHUHWyA3pRaiPGBvVCjogNestCPEOiPBQTmFTo3gjGbFzSv6Z242zGKpUK5ANJfvy5wxiScSTjwfVAMSO5EmLi/W4+7J9SfopPKikMys30wJGEcw14SNDu5sF2vEOsZ44QGdd+C/XzKi2JWGNFbG++ujbgk5fBwsZ6WTmVpG9gfW8gxG1SboqGh+qiU0dW4F/WgM+pN/ZRIWmQh7I/BX86J2IBT0fhou3jGB3GsB5HIBkgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [EXT] Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
Thread-Index: AQHaEQCtLX70MopLb0Sgra3GNuzhHg==
Date: Mon, 06 Nov 2023 22:29:16 +0000
Message-ID: <C96DC528-B3CB-460D-A3ED-EF930C59A92A@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.78.23102801
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH1P110MB1412:EE_|PH1P110MB1187:EE_
x-ms-office365-filtering-correlation-id: ff69515c-dec0-4e76-661f-08dbdf17cff9
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EKGAtpAR2112FDgRpHUGF7DIDDmm+CC4UOxhYgGKy/2mXStSt0t+v2IJHqZ5ZemJ8lwg4Jp0gwdLUWiu9utwORWZnsOpWmMiCX7IZ4C55KLXi/2gnnsv0ilRduwl646yRjXjXTidjye2PqLn4fwMnxt0GBjq/5cysoO0/QlGCK4oJckeQrSFVQWGGmuPjRMMqRyvDrxj8YlGzZpCy2N4Zd/3VdC3DNDXoVYKMKMGuLuBPw9tEivXs4E15zivrLPzwHOF0NfErLzAmo/VDdS38fg7nGcWa2KFehUNnh3NznshokTiXvVgB3o+t7FMtk06Tezj+wsXkW4zX/SXclLlCGipgFfOBUP+Baz+mbiHRs1HMl8HwF2Ahj/54uBZTjg8tjeGulKBo1d6N2oepbGWiuQahtVP4P07uE0vHnHoyAnYdfIZNHnP4JgkGoshZvsXx3UIMKV2AcpKJh/TsL40WgonS+qNLwwE+yXKu0iOUsvod93M7v+nsuLxJyldlzdju7K1d0/4QPSbGw0G6oGIQ/U3In4Sk7Qxt+h1NwTDEi+9knPKbQPx7aIGoz9l2yn68FjfKOAGupsVZWK3khJYVvATEQWz4dKy1F6X9dLMNwhIC85LpBaD1DspjrrRcTXbPjwMqnqDI8mvwP4akaipaQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH1P110MB1412.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(136003)(39830400003)(396003)(366004)(230922051799003)(186009)(1800799009)(64100799003)(451199024)(2616005)(66899024)(21615005)(6512007)(122000001)(66574015)(76116006)(75432002)(966005)(26005)(508600001)(66946007)(64756008)(66446008)(66476007)(66556008)(110136005)(38070700009)(53546011)(6506007)(41320700001)(71200400001)(8936002)(8676002)(4326008)(2906002)(6486002)(38100700002)(166002)(33656002)(83380400001)(5660300002)(41300700001)(86362001)(99936003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ULTB7+9316XTkWLbSfFnZ3wALOtSXP0BUtgaRx/jo8OsW0DIQSGqdsOiiwoNQHkDyvyKzrDUYkV7IeTe7kBEi8qMW0wQ4LWgmgxtVQOoKC/jFylhusoavrGD7ZCFTmxSOKJUy9yKndk3B+6pwEd4BhqEH9l+Phq/zc/qGw42APnDb69PpOYQlHOxbdCFfn6+oMnV9SJofeiEUjq2h0l5l/ehZGXMzc9PQlcuUHLJi2RXcEk6TlDaYnwaW8E4A147T/EFiYlC892kUnUikATh38khUWcQt84baKT7+TT7FRWsbVSEXE0pjWojHdJuKvzzUpoq1bRo3PtaWzvdeKPpqk3G2SjOH49wVugNlIRdSUsxGnDmJuFgM7DBEi5g4i5uo7EQO+pd00y0QWld9IavvY2BvF/Jq1BJzrI7iT7Kflff7QyA9e3P/S/8QQyrFT+tmlenwiDdZWI7edk6P6xVPc3cdtApZyNmV43EdHTCIa82AlTJgr4JeWDfApTkTyhVx/tsUooBzbM0N0dtCYsKhhbbp811joRuQqZz7GAWGzovgTy7+nk+L5GgyZGl6xkKAZbumC6ju7hTru+DkNYUqdllXONSvYtj/E4atCYoEmphAbPWUk7WqkNe5+CsMDA4Wtk5UUTvYxiJvjL7QHpkpf6aj8+Hu55u0sMVqdba7XLBT0q0XkXMb2ovqzgX7Kv63hQA7KvwBYg60fPUd9g1XghkouTAFMiedjRXzj6ZQofXDbiyB5KfXpnQNtqczRUEpk/MGQ252SFJ6oZjMrCuZztjxZr/t/6eXlMMh8JE5NNWXz1oc22iYn4zlvVZjxalw4XPzfpwgUvvpE6qOVgn4ldUfvG9HxeEYJ7DMqZ5QQptrLgch5IL0ajdve4svePd/WIIfoIHptyugE3peqDiNnlzQitSQYWJ6DbY9zOrLCuMWarHVFnq0xTYLpRveI0ZJrETfaU1316sdNwFTi1uhkUNa5RjZoQFJiRBp3iSutC8dPGbx7SjuyC86bqEj8IdeaHKe1WJWSv/IkxT7IBMs1KRdqX2N/pMPFD2vHCtC6zdc/fhbn1BaTFomL3jj/4kCXj5eKV88bNXSmMV0keMAcg+9dFphyWLDJdmfo1yLXI+jRAr1KF0wd3jCiaIoYTRL3ZLCbiv2E+hBl3pnb4vGaA7eXhuZ6lvoYFTwXGjVK84Eg4P9SC0YQGzsKz8OFeTW4Guh6SgE+XYKZieFj7sOpuKRLq0c3f1gliVWEmjGcbbpHQiTQJMOrkAWJ+eUMxN28pW6nR2HBcMJtoYCxIqYkhGC4DcVsoZOXNI6w5cFXrZXPT5sMMIwv3QuKsDMNvRJ6F7ZidurRQsF/9Wxt/49lHqml4NxfXfrws/cQKG2BLG5mcrVfVXYAKe8FBed2tG3W922fTmJTWMvIsjhK711OARkkigOElhuH5g/64/pxeHeTLraRMmu0cUNMdISS7RmFz/2o4llcZmCtWeQCtd4AaDFft2aqyCBhBbNFRiicM=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3782136556_2992825438"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH1P110MB1412.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ff69515c-dec0-4e76-661f-08dbdf17cff9
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2023 22:29:16.9525 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH1P110MB1187
X-Proofpoint-ORIG-GUID: 4FpebhlgPkaWV6o_dlUl5jJOPbQBf68a
X-Proofpoint-GUID: 4FpebhlgPkaWV6o_dlUl5jJOPbQBf68a
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-06_15,2023-11-02_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 suspectscore=0 bulkscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2310240000 definitions=main-2311060184
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PA1LJe26TrNRhljkvgNjzwUe8v0>
Subject: Re: [TLS] [EXT] Re: What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 22:29:39 -0000

Do we want rfc describing the final NIST standards? And for which? I'm ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa.
 

Probably yes, and in the order you described.

 

For which algorithms do we want to assign codepoints once the NIST standards are out? Codepoints are cheap and use cases/rules are different, but especially with the hybrids, I'd encourage us to try to be disciplined and keep the list as short as we can for now, so that early adopters for which it doesn't matter, all choose the same thing. The DNS mechanism of draft-davidben-tls-key-share-prediction helps on the performance side, but it doesn't solve the duplicate engineering/validation if there are a dozen essentially equivalent KEMs.
 

Leaving this question alone, at least for now.

 

Do we want to standardise non-hybrid KEMs for TLS? I don't care for them yet, but others might.
 

Absolutely yes.

 

Do we need hybrid signatures for the TLS handshake? I don't see the use, but could be convinced otherwise.
 

I don’t need/want them, but can’t/won’t forbid others from using them. They still don’t make sense to me.

 

What is the future of AuthKEM? That's definitely a different e-mail thread.
 

I hope it becomes a mainstream standard.

 

Concretely, after ML-KEM is finished, I was planning to update draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design.

 

Great!

 

Thanks 

 

On Mon, Nov 6, 2023 at 10:10 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:

Hi,


NIST has released draft standards for ML-KEM, ML-DSA, and ML-SLH. Final standards are expected in Q1 2024.

https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography

 

I would like to have standard track TLS (and DTLS, QUIC) RFCs for ML-KEM and ML-DSA (all security levels standardized by NIST) as soon as possible after the final NIST standards are ready. 3GPP is relying almost exclusively on IETF RFCs for uses of public key cryptography (the exception is ECIES for IMSI encryption but that will likely use HPKE with ML-KEM in the future).

 

Looking at the TLS document list, it seems severely lacking when it comes to ML-KEM, ML-DSA…

 

The adopted draft-ietf-tls-hybrid-design is an informal draft dealing with the pre-standard Kyber. 

https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/

AuthKEM is a quite big change to TLS

https://datatracker.ietf.org/doc/draft-wiggers-tls-authkem-psk/

 

This is not adopted, informal, and dealing with the pre-standard Kyber.

https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/

 

What is the TLS WG plan for quantum-resistant algorithms? My current view is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87 registered asap. For hybrid key exchange I think X25519 and X448 are the only options that make sense. For hybrid signing, ECDSA, EdDSA, and RSA could all make sense.

 

Cheers,
John

 

From: TLS <tls-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Date: Friday, 8 September 2023 at 02:48
To: i-d-announce@ietf.org <i-d-announce@ietf.org>
Cc: tls@ietf.org <tls@ietf.org>
Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-09.txt

Internet-Draft draft-ietf-tls-hybrid-design-09.txt is now available. It is a
work item of the Transport Layer Security (TLS) WG of the IETF.

   Title:   Hybrid key exchange in TLS 1.3
   Authors: Douglas Stebila
            Scott Fluhrer
            Shay Gueron
   Name:    draft-ietf-tls-hybrid-design-09.txt
   Pages:   23
   Dates:   2023-09-07

Abstract:

   Hybrid key exchange refers to using multiple key exchange algorithms
   simultaneously and combining the result with the goal of providing
   security even if all but one of the component algorithms is broken.
   It is motivated by transition to post-quantum cryptography.  This
   document provides a construction for hybrid key exchange in the
   Transport Layer Security (TLS) protocol version 1.3.

   Discussion of this work is encouraged to happen on the TLS IETF
   mailing list tls@ietf.org or on the GitHub repository which contains
   the draft: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c404f4af2592f2f4&q=1&e=367fabf2-370b-4cec-b657-05a8499decf6&u=https%3A%2F%2Fgithub.com%2Fdstebila%2Fdraft-ietf-tls-hybrid-design.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-09.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-09

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email