Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 09 November 2023 11:00 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2D7C1519AE for <tls@ietfa.amsl.com>; Thu, 9 Nov 2023 03:00:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.805
X-Spam-Level:
X-Spam-Status: No, score=-11.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="JOxZeWP1"; dkim=pass (1024-bit key) header.d=cisco.com header.b="NAflZ3z3"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1N8X-VV9J81 for <tls@ietfa.amsl.com>; Thu, 9 Nov 2023 03:00:38 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363DAC151989 for <tls@ietf.org>; Thu, 9 Nov 2023 03:00:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17301; q=dns/txt; s=iport; t=1699527616; x=1700737216; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=y4ydAUyvy+cMViz3hhDx8ZRt/lxIvVWjJW9JvgtSPUo=; b=JOxZeWP1HkhDqB3QpRTFbIcagsAFLtyR03Aj77CFvvT6aGTtVv8nZZXd ezjGautYFT7x4eQAId2KfHThSHO3zpRAN51EY2EBXCE2EuLAedqet++VO SnFuCQlNyUtO+4lYfvG9Sg38WoT+Aa5soVpuhHUe2jLvg5Tm7bTIuaF73 U=;
X-CSE-ConnectionGUID: oMzBGnmGTbCqOAckuXXDuA==
X-CSE-MsgGUID: 2r8nj9Q9QAyM77UQIDB/GA==
X-IPAS-Result: A0ARAAAZu0xlmJhdJa1RCRsBAQEBAQEBAQUBAQESAQEBAwMBAQFAJYEXBQEBAQsBgTUxUngCWSoSSAMBhjGBaQOFLYZAgiIDgROKSYtShlCBJQNWDwEBAQ0BATgMBAEBhAWBAQKHJgImNQgOAQICAgEBAQEDAgMBAQEBAQEBAgEBBQEBAQIBBwQUAQEBAQEBAQEeGQUQDieFOwEHJQ2GTAEBAQECARIbEwEBOA8CAQgRAwEBAQEnByERFAkIAgQBEggTB4JcAYIWFAMOIwMBEKBAAYFAAoooeIE0gQGCCQEBBgQFgVEPrjcNgkkDBoFIAYdrHgGBToFfhlonG4FJRIEVQoIwBzE+gh9CAQECGIEaFBoeDQmDXoIvhmOCAxUuBzKBCgwJgQODUo1Bf0dwHQMHA38QKwcELRsHBgkULSMGUQQoJAkTEj4EgWOBUQp/Pw8OEYI/KzY2GUiCWxUGOgRGdhAqBBQXgQoIBGoFFhUeNxESFw0DCHQdAhEjPAMFAwQzChINCyEFFEIDQgZJCwMCGgUDAwSBNgUNHgIQGgYNJwMDE00CEBQDOwMDBgMLMQMwVUQMUQNvHzYJPAsEDB8CGx4NJygCNUMDEQUSAhYDJxkEOQNEHUADC209NQYOGwUEZFkFnVEPPHOBUmIGCi0mBBgjGBRUEzkxRxGSWliOPYF7jEaTe28KhA2MAY8VhikXqR9kmD8gjUWDdZZOAgQCBAUCDgEBBoFlAjYtDoEgcBU7gjMBATISAT8ZD4k5gg+CNiIZg1+FFIpldgIBCi4CBwEKAQEDCYpuXAEB
IronPort-PHdr: A9a23:Ak7SahcZKQge65AVWwYQpk8ilGM/fYqcDmcuAtIPkblCdOGk55v9e RCZ7vR2h1iPVoLeuLpIiOvT5rjpQndIoY2Av3YLbIFWWlcbhN8XkQ0tDI/NCUDyIPPwKS1vN M9DT1RiuXq8NBsdA97wMmXbuWb69jsOAlP6PAtxKP7yH9vJgcCq1/q/4bXYYh5Dg3y2ZrYhZ BmzpB/a49EfmpAqar5k0wbAuHJOZ+VQyCtkJEnGmRH664b48Mto8j9bvLQq8MsobA==
IronPort-Data: A9a23:LXaHPK0Rwxvo1fuakvbD5d1xkn2cJEfYwER7XKvMYLTBsI5bpzxUn WtOXzqGOKqJZWvyKdogb4S+8U8CvJPUydY3GQJu3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ1yFjmE4E71btANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXV4 rsen+WFYAX+gmcsYzpIg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauG4ycbjG o4vZJnglo/o109F5uGNy94XQWVWKlLmBjViv1INM0SUbreukQRpukozHKJ0hU66EFxllfgpo DlGncTYpQvEosQglcxFOyS0HR2SMoVB3a3tDn66nvCZ5FThWnDv3sVeIFwfaNhwFuZfWQmi9 NQCIzwLKxuEne/zmfSwS/JngYIoK8yD0IE34y47i2qGS6d9B8meGc0m5vcAtNs0rttAGevef ccDQTFudx/HJRZIPz/7Dbpnx7vy3CmuImcwRFS9/7Bn5WqC9V1I+anIb4XoQ/2mb4J6txPNz o7B1z2pXk5FXDCF8hKZ9mmEh+LTk2X8Qo16KVGj3uRhjFvWzWsJBVhPE1C6uvK+zEW5XrqzN nD45AIpiLoY20quYeX3dASfiXWHoy4sd8d5RrhSBB629oLY5AOQB24hRzFHacA7uMJeedDM/ gLW9z8OLWE/2IB5WU5x5Z/P8mzvYXl9wXsqIH5bHVFcsrEPtalq1kqXJuuPBpJZmTEcJN0d6 yqBoC57jLIJgItSka665lvAxTmro/AlrzLZBC2JBQpJDSsgOeZJgrBED3CHt56sy67CHzG8U IAswZT20Qz3JcjleNaxaOsMBqq1wP2OLSfRh1Vid7F4qWX8pyDzJ9wNsW8iTKuMDiriUWGwC KM0kV0JjKK/wFP2BUOKS9vrUp9znfSI+SrNDKqPN7KinaSdhCferH0xOiZ8LkjmkVMnlukkK IyHfMO3ZUv2+ow5pAdas9w1iOdxrghnnDu7bcmin3yPj+HEDFbLEuhtDbd7Rr1jhE9yiF+Lo 4832grj40g3bdASlQGModFCdQ9RcCBT6FKfg5U/S9Nv6zFOQQkJI/TQ2rgmPYdimsxoei3gp BlRhmcwJILDuED6
IronPort-HdrOrdr: A9a23:Ql3FSKO+QKnWEsBcT4n255DYdb4zR+YMi2TDiHoBKiC9I/b5qy nxppUmPEfP+UgssREb9exoS5PwME80lKQFrbX5WI3SPjUO11HYVr2KgbGSpAEIXheOidK1tp 0QPJSWaueAcGSS5PySiGLXYrNQpOVvsprY+ds2pE0dND2CHpsQlDuRfTzranGeKjM2Y6YRJd 633OYCjTymfngcc8S8AVc4f8Wrnbf2vaOjSyQrQzo85iezrR7A0tPH+h6jsSs2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh4sErPr3MtuElbhHXziq4boVoXLOP+Bovpvu01VosmN 7Q5z89IsVI7W/LdG3dm2qs5+Cg6kds15bR8y7cvZLRm728eNv8MbsHuWttSGqa16PnhqA77E sE5RPBi3MdN2KxoM203am6a/gtrDv7nZLn+tRj1EC2luAlGedshJ1a80VPHJgaGiXmrIghDe l1FcnZoO1baFWAchnizyJSKfGXLz0O9y29MwA/k93Q1yITkGFyzkMeysBalnAc9IglQ50B4+ jfKKxnmLxHU8dTNMtGdao8aNryDnaITQPHMWqUL1iiHKYbO2jVo5qy5Lku/umldJEB0ZN3kp XcV1FTs3I0ZivVeIez9YwO9gqITHS2XDzrxM0b759luqfkTL6uKiGHQEBGqbrXnxzeOLytZx +eAuMjPxa4FxqdJW9g5XyKZ6Vv
X-Talos-CUID: 9a23:o9D5dWi3HKGiTHSinT1b1A80pjJudVjP5ljWJmCEA01wb5SeSkKgyI95up87
X-Talos-MUID: 9a23:bmOV/gv4PCCDy8Eyk82n3isyMsU52vWXIVEozso7guioH2tfEmLI
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Nov 2023 11:00:15 +0000
Received: from rcdn-opgw-4.cisco.com (rcdn-opgw-4.cisco.com [72.163.7.165]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 3A9B0BC2024575 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <tls@ietf.org>; Thu, 9 Nov 2023 11:00:14 GMT
X-CSE-ConnectionGUID: wSSZDZHiRgestn52yCOBKA==
X-CSE-MsgGUID: fFkx57WORD2Ureg4HKgc8w==
Authentication-Results: rcdn-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=sfluhrer@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.03,289,1694736000"; d="scan'208,217";a="7443497"
Received: from mail-mw2nam12lp2040.outbound.protection.outlook.com (HELO NAM12-MW2-obe.outbound.protection.outlook.com) ([104.47.66.40]) by rcdn-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Nov 2023 11:00:10 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FnoUQF5JRHGrKlNaIJ+uTG3vvrCNEdqueN5akdj3Qtc5nX4EvkWqXxEFeH2W/JSmSaQL3jomloa/HK/XJiOYCk/JydpK4TqCMqAiS/Ouf+yllnWsC+ZURm2IYCKPLt22ldLXWYBWmQ2NtkgAqRGRbjQgqeeKQcuhfb6dZykxxQ+FMm6WvKuTOvSH8TIDvog/d1WqwR12L8aY223pUFjIuYPLL5V36CbWNTKnItpagTxm67rgX9jTTBn1cZBUf/Z/LVwPqRcj9BsbosO6+OnzI/PdYHBIDckJJdN+7XjuNqB6veqETGXaBEPk/japYWDoF4tAhTA28cDQKfLKcMKtpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lkOf8jSmJhN3avKeJkVqrFtWVTYnaKij7S1yumkWHA4=; b=K0F+jkjhJhdRUY7c6Pde6+6wtnUjRzk2xzHS7dBzO+Drq55wYxHe+D17pZfrD/m9dIhp7JCae72+NcPBHVeshAc0GzzonlvkY0TDGQfY3o9k2oOb42StuYVEoIjQ+bL5IOudG1DpOjiUimby5mmoqbxy3i2TtrqeSSZYkNS7EUkflLToOcooqxUPNhWOWviIPyehe38GKxb4yaS8jlnvT0cgpKXew1BuWOoq58d+/BGsW8bLtLDSBmvN5IVg2RiFWt05cWMM7Evq7Z042ZBCe9huvHf76sSALMEB54kefyCE22GMKlh0fgXG0QPailNnP+jE7EMyt+kSMkv8tBlkCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lkOf8jSmJhN3avKeJkVqrFtWVTYnaKij7S1yumkWHA4=; b=NAflZ3z3RbdnWGXtar4fG3y8ZfC99J6piaJn5/Ir0p7+iO0dbglpesKmkO8NLUcNXgaHXOu7Bbhfqbvl+asZE8+klJGin86GnrQTEjzcxre7Oulcs/eEGGwf87Zs7F9DnaBYYbBnFgNR8ineb6loTqP09CHhjfn5/gLWuVyDr7c=
Received: from CH0PR11MB5444.namprd11.prod.outlook.com (2603:10b6:610:d3::13) by CO6PR11MB5601.namprd11.prod.outlook.com (2603:10b6:303:13d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.29; Thu, 9 Nov 2023 11:00:08 +0000
Received: from CH0PR11MB5444.namprd11.prod.outlook.com ([fe80::a1d6:e770:d3a9:cb36]) by CH0PR11MB5444.namprd11.prod.outlook.com ([fe80::a1d6:e770:d3a9:cb36%6]) with mapi id 15.20.6977.018; Thu, 9 Nov 2023 11:00:07 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
Thread-Index: AQHaEuAWASThxptbfka5xiihfLeyn7BxrSqAgAAi71A=
Date: Thu, 09 Nov 2023 11:00:07 +0000
Message-ID: <CH0PR11MB5444463A58964CEB0F91E7F2C1AFA@CH0PR11MB5444.namprd11.prod.outlook.com>
References: <CAEEbLAZECSX+LvjMgA+kUpkybs-S92L2Te58Y35Pytu2CA2DhA@mail.gmail.com> <GVXPR07MB96784CF76D3DE39BE67D72F289AFA@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB96784CF76D3DE39BE67D72F289AFA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5444:EE_|CO6PR11MB5601:EE_
x-ms-office365-filtering-correlation-id: f41983e3-e870-41e3-44be-08dbe1130947
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Kau99TOgUD+iwfgUsJuuWGszC0eizGqqWtM4NJw7idBO37xMzDZ4ARPHGcCAuNbzPjWdmGELQw3VPtHhMPXhgzzJDAi9c8PyWRsj1KxoOmPb6WWnw0oNuPnynRi+l+zjnQWyOlC9Cy93rWRSEwC9cHXQPSb9lDJHWzTXt2Aq9ar4FRzpAPRbqtRCFxSi7rOe6G0qcLLyRVlr1KiJ5SEaLabJVNPfl54XW966P3xNds6UtU+Ot8At+Cus45yY1xmGBYj89ecwFeQEXcIe4VUbiozzYCEwFAr0VxVJ5G3K7trvjxuDKpUG00QFwRtDlchj2IftyZwv+t7OlOYKeYNdrLE8ROFdhYzFzusUy+W/gPFsSnIkUTIervTjgodu71Law7LOLutr597qznojS3EWNxdIaGz/hBcjRdqArtLwFjBLhtb9D0TtT07xnMJLvTZRcEZvauuGm9n/aQeF3b3IkTZ95MYZN0ptdHGYUdkQaVcORD+yBJEepZWlIqxZ0HOU8zrO7kpCUlH55aVFSG0+wETNYGnr7cavJzRwBzRlcXMVbzX9D6DH24uMem7pna45i/9Bo49S0xZsRlYh3+l+vuMpYyhUumlnyKjVBIi0WwZeMDJ1DeB5LC21oTIQBEfUyL3dxdrsU1s0Vlh3ODQxBKFnQLtKcZO7dbrGvtJzZpiJ9fH7/C4s7lnqWXRI9cCB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5444.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(396003)(376002)(39860400002)(136003)(366004)(230922051799003)(230173577357003)(230273577357003)(186009)(1800799009)(64100799003)(451199024)(966005)(52536014)(64756008)(66446008)(110136005)(478600001)(41300700001)(66476007)(66556008)(2906002)(76116006)(66946007)(5660300002)(316002)(71200400001)(55016003)(53546011)(8936002)(7696005)(6506007)(9686003)(86362001)(66574015)(38100700002)(8676002)(33656002)(83380400001)(122000001)(166002)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cEub23NsQOJYtpSQY2b1DM/Nlvyhs0CzOCizOo4cwf0lmEsK1t91ZUR1GL9pSVyzN57Ls+y0a+JduU+ZOMuedfpYz+vfDTE/ThOmulj2YyaSscZ+g95no5ISLZ1VWDLNc6jmA9ZxCZJ9LQps9omXsGSHgZft0sABwld/kMfoBGibvr1UQ34D3Kygo83e/HT8Mo3iNgo7zHyjYGVf4nvbH10uz5a7iWZ+pCXb0xGptaHkchseUznZLQQj9o5mObPARBGItpVXO4CSlS8Oe2/ACqkIikWvGtYyMWz8uHOELVzQCfW3gzNuUfEPWaYIBrLoXmE6WPoLW4se5ajFTEJYMGXtvRawv9RYkmDD2In+yjGX65WkaNWgCaVrKo+mNih8TtqXe2lwbtfNZpGTcpetYMuK9DENMr6FmzghQLqs8KOnAozaSM7dGA/fhSvc4BafvMbcBHNFgfRSVUy6jiiFa0ItXBevNeelTrqSKxgWzI3n9nepP8FIl3Ca1bAtiXg73LQVrW5GljYmPYDmw+jEjmwq868xLEbTJZnVeGGyTcEAyle7xUnfemnVWsBhvQ9xI0ASvHtTJZ7AKgTeoc3lWVnDoQx+lzCYzFrIo3dcUlGNN/panxZWqKCfCgLWpbcUi8Ejm8Rc+YBAT1uBFV/+023ptF05H0BfadrPpNlW3prlQ6bocmYm2AyWyCT4rC6ZmSD3N0H1PQvY5XgDYcuDpCkBGxlqfnLvGsfKf1W3LeBVCFYVTtZCxMtR9TrhzgObh+aqUOT0vZTdCSlKd57fSlmFsboYBkV7Cen5V+kInU5Gh+utBZsDydGq13fpQOWxFksAyt81owB2qPEN7HRSo/zRYZlFzshvnTsivlz+db7aeQCO4wBtSqEIQokRWpigTO/kEPSDeJlAnjK4q2Q5S/nLWaohQ0wcUUN8+LbhMIEPjwBTfF03OxMIu6Rbk2hyhlbxmfWRqbNWpApVp6IXsC/Ym8ZnE2ui4KFM267ppouEAcT8Oc0ijYqGjMsa+W8vzDYU1YiZ4m46fjbixPtYqTgNnBtS5v2e+L8P8F3v+Dt01COVyJa36SZP+WrerMi90f7X6FtJgfziIV3+sjaiF3bArEyqPL2xRX+v8Xfzi0pOVhh6hZpsR684KefaPwieuoY9pdJdytS2vhOMyo4eS7BNwnOh5BcxQA+OnkiUddPxilWDoHZt69CUD3FfcpjMpOmPClA9OMAv+XZzQ+AfwSnMj3cmp8QcRX/3VVxJvSI/BEbfxfO5nJRRnJjH/pcYauY5MTD2I9e0kN6Gb3Ypfu2Cd1yHQ8M8BC1bibhT4C8z4hSgEZn7AT4docGRf3qZYAyJ11KbrWrkvGGVy0Y+6zlXWbOE6iEJY/z9o/oRHnoEdxS4HDlai4s9KXvnXPYR1w2+csgk5NqkY/S5eh6Kh5R2ptnviTn7XV+11xPZlkkzY3snLX46ptxbZn2wqvHU98ARN6VtgeB3yMVjMcx5BVLgZagr8/rHaCx7G9Lc5WM1QCGNbUuSBkirAYOehRCynTwkc2wDdex5t01nmRLuMVp0JT6V7v85Zt7gi+i2j0cPxQBZ0lh2d0P7tK00k+l+4OwAn71whlr+AZYkhT8f8xVv5ZXBwX2kCQx2XDTbAhw=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5444463A58964CEB0F91E7F2C1AFACH0PR11MB5444namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5444.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f41983e3-e870-41e3-44be-08dbe1130947
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 11:00:07.9348 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5ViOW5cTzhdLJrsT9hN38LZ1qtaBGXhYtfL0Urk0OJnizlBvCF/3Kfzf3ZKxsnXD+0P9469lDP9VzCqd0cSvBg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR11MB5601
X-Outbound-SMTP-Client: 72.163.7.165, rcdn-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QGQ57RK1lFY_cGRShJrHAlSN9y8>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 11:00:42 -0000
We had that argument several IETF's ago (IETF 105?), and the clear consensus of the working group was that explicit named hybrid combinations (e.g. one for ML-KEM-512 + X25519) was the way to go. Do we want to reopen that argument? Now, I was on the other side (and I still think it would be a better engineering decision, given the right negotiation mechanism), but if it delays actual deployment, I would prefer if we didn't. From: TLS <tls-bounces@ietf.org> On Behalf Of John Mattsson Sent: Thursday, November 9, 2023 3:48 AM To: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>; tls@ietf.org Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? Hi, Everybody seem to agree that hybrids should be specified. Looking in my crystal ball, I predict that registering hybrids as code points will be a big mess with way too many opinions and registrations similar to the TLS 1.2 cipher suites. The more I think about it, the more I think TLS 1.3 should standardize a generic solution for combining two or more key shares. My understanding of what would be needed: - New "split_key_PRF" extension indicating that client supports split-key PRF. - When "split_key_PRF" is negotiated the server may chose more than one group/key share. struct { NamedGroup selected_groups<0..2^16-1>; } KeyShareHelloRetryRequest; struct { KeyShareEntry server_shares<0..2^16-1>; } KeyShareServerHello; - When "split_key_PRF" is negotiated HKDF-Expand(Secret, HkdfLabel, Length) is replaced by a split-key PRF(Secret1, Secret2, ... , HkdfLabel, Length) I think the current structure that the TLS server makes the decisions on "groups" and "key shares" should be kept. There was a short discussion earlier on the list https://mailarchive.ietf.org/arch/msg/tls/Z-s8A0gZsRudZ9hW4VoCsNI9YUU/ Sophie Schmieg sschmieg@google.com<mailto:sschmieg@google.com> wrote: "Our stated intention is to move to Kyber once NIST releases the standard" "I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm." I agree with that. Cheers, John Preuß Mattsson From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> on behalf of Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org<mailto:sschmieg=40google.com@dmarc.ietf.org>> Date: Thursday, 9 November 2023 at 08:40 To: tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > On 8 Nov 2023, at 8:34, Loganaden Velvindron <loganaden@gmail.com<mailto:loganaden@gmail.com>> wrote: > > > > I support moving forward with hybrids as a proactively safe deployment > > option. I think that supporting > > only Kyber for KEX is not enough. It would make sense to have more options. > > > > Google uses NTRU HRSS internally: > > https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-906db70ac616716e&q=1&e=19fc7c2a-a02d-472c-b2ec-cc51f454c161&u=https%3A%2F%2Fcloud.google.com%2Fblog%2Fproducts%2Fidentity-security%2Fwhy-google-now-uses-post-quantum-cryptography-for-internal-comms> > > > > If Google decides to use this externally, how easy would it be to get > > a codepoint for TLS ? > As easy as writing it up in a stable document (may or may not be an Internet-draft) and asking IANA for a code point assignment. > > It can be done in days, if needed. > > Yoav Just to clarify a few things about our internal usage of NTRU-HRSS: This is for historic reasons. Our stated intention is to move to Kyber once NIST releases the standard, see e.g. my talk at PQCrypto [1], where I go into some detail on this topic. Long story short, we had to choose a candidate well before even NIST's round 3 announcement, and haven't changed since changing a ciphersuite, while relatively straightforward is not free, so we would like to avoid doing it twice in a year. The only security consideration that went into the decision for NTRU was that we wanted to use a structured lattice scheme, with NTRU being chosen for non-security related criteria that have since materially changed. I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm. [1] https://www.youtube.com/watch?v=8PYYM3G7_GY --
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-09… internet-drafts
- [TLS] What is the TLS WG plan for quantum-resista… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Krzysztof Kwiatkowski
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Tim Hollebeek
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Tim Hollebeek
- Re: [TLS] What is the TLS WG plan for quantum-res… Thom Wiggers
- Re: [TLS] What is the TLS WG plan for quantum-res… Kampanakis, Panos
- Re: [TLS] What is the TLS WG plan for quantum-res… Watson Ladd
- Re: [TLS] What is the TLS WG plan for quantum-res… Deirdre Connolly
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Kris Kwiatkowski
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Watson Ladd
- Re: [TLS] [EXT] Re: What is the TLS WG plan for q… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] What is the TLS WG plan for quantum-res… Yoav Nir
- Re: [TLS] [EXT] Re: What is the TLS WG plan for q… Yoav Nir
- Re: [TLS] What is the TLS WG plan for quantum-res… Scott Fluhrer (sfluhrer)
- Re: [TLS] What is the TLS WG plan for quantum-res… Yoav Nir
- Re: [TLS] What is the TLS WG plan for quantum-res… Scott Fluhrer (sfluhrer)
- Re: [TLS] What is the TLS WG plan for quantum-res… D. J. Bernstein
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… D. J. Bernstein
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Dan Brown
- Re: [TLS] What is the TLS WG plan for quantum-res… Loganaden Velvindron
- Re: [TLS] What is the TLS WG plan for quantum-res… Yoav Nir
- Re: [TLS] What is the TLS WG plan for quantum-res… Sophie Schmieg
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Ilari Liusvaara
- Re: [TLS] What is the TLS WG plan for quantum-res… Scott Fluhrer (sfluhrer)
- Re: [TLS] What is the TLS WG plan for quantum-res… Deirdre Connolly
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Thom Wiggers
- Re: [TLS] What is the TLS WG plan for quantum-res… D. J. Bernstein