IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 06 November 2023 13:25 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB7CC17DBF1 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 05:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6zoqYw0ZiQm for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 05:25:02 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2097.outbound.protection.outlook.com [40.107.237.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BB7FC1D4705 for <tls@ietf.org>; Mon, 6 Nov 2023 05:24:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eCxwcEHt+ih9EvEc5l4NGPSLcoNeCrtD7XVHvOGduPIw5lCY6f8dFxJENDDCEp/1JxtaIsDkmjA09eAXXnz9Qyd0s0/aHoGckjwsxadPEQa0vnJH30CkO10rRcF4394Ee5Wt3GGHlu4ejRiwTGZbt9mBtVImUnTWt+N4AZHGqjMaKhrbyVAHcu8sjZO2LkYwJ7HE76CAM+cojYz/77V3GC/EGTEnT9CNgmvX2DCL4E2jU3onee/PJievfT3r4npLDxDormMG/wkiV4p4Vyx+3LV4JyRkIte5atK5aci9RTU7iiMPttydLVSFdeC7Cp6LinoKfRuU/ycGwvs6OHRx/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b/+SshgNhE3yIIaX4+aY2Zrd1F32QXkhlgrZfH/CgYk=; b=eH3aTS4PmRxeOLmH1D7+KXN9jve1rvJ7Gi5rPVSXX3FVCnUt3qYoIWdEp8Oq02NJZ1HD9lvVcJPzRRs8qkwnttaVcmur8uOqwGIu79h5kL8Qb4leNE+aW15rjZQPnvbqP2nXt4zQpF9ISKrNiNZ9hGa5V7DFR0DzyWY81JbHI9LhH+mQwuUq/lXlY9LiNfL5Nsa1fcalo+RU1mQkDAzQe03lGpGFHHm05p39TjVvNd4TP0VwX3ZwBTp6bn3rIsG6wtqzgKe//pn2TQAFvGrgdInpU7KtSb2f7FnT9CNYr3oNUjo+3MgOPWAjmPjQT7VA7khJTihGRC2sF3dTwtKyWw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b/+SshgNhE3yIIaX4+aY2Zrd1F32QXkhlgrZfH/CgYk=; b=jisHa7MmvRrZrF8niRqaLEXpFER62ha3rVtEPqE5KE5QB9Q4NJwBO959YmV6JOBogBecmFupKf8IvXZJOqhcyQwgyotk7RoGXQzG9JZEMkclMGEpTqHIzjmIMDgqv241cStRYFnaHVj2rt5bU0opNaM7PO+oPUh6B8Y24dps1c7p1HY1hwKzRnvmHwMUzjku+aR+NeSFZ8zBGoLytx9Z6Cd4pyK69R7jQK0IWIv0z2P8BtfszaNocX2X6VEmc9WTcXBizeJpwFXWK/hx9tBb2yXRLeFQwYjdbHu6FfFr8kj8IXTtWCHgb40r+cx9xrrdl8SDHYfrnYu0dCLOHpLvaw==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by DM4PR14MB7252.namprd14.prod.outlook.com (2603:10b6:8:184::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Mon, 6 Nov 2023 13:24:56 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::2390:7be8:2bb9:fcce]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::2390:7be8:2bb9:fcce%6]) with mapi id 15.20.6954.027; Mon, 6 Nov 2023 13:24:56 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
CC: John Mattsson <john.mattsson@ericsson.com>, "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
Thread-Index: AQHaEJEPT591Wv/wU0afbcsBeea7HbBtKhWAgAABokCAAAibAIAAEo6A
Date: Mon, 06 Nov 2023 13:24:56 +0000
Message-ID: <SN7PR14MB64922E7B96A48B388DA957B583AAA@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com> <SN7PR14MB64928D0240F21868FEBB951683AAA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAMjbhoUmVdezZbziArzYR9xbKVd3Ld-xcbhz20WB=qPjqKVhQQ@mail.gmail.com>
In-Reply-To: <CAMjbhoUmVdezZbziArzYR9xbKVd3Ld-xcbhz20WB=qPjqKVhQQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|DM4PR14MB7252:EE_
x-ms-office365-filtering-correlation-id: 1842f8eb-ff9c-495e-b6ad-08dbdecbc4e5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 12nmXia5dM1lXRgteooSBzJPCDkWEPb0aQP9W9VnPWHNkd2gKHhUsgeavU056iiEJ8/l1En4jVjdSUvIUrPIGbh9t+ctpX9UV/hSwLeDaXMelruqY5uxnop5kC3KSZOk0RGF7LKJbyuuu4+nKvm4W4M61EnhYzwiTdak5sFoTrSP2W4t9EoBdW53GLAusjDKWqmaX5lfukTrttPz0X07ZVr8uLMCfa9RAtqAgfnSjHLKzySTKOmcuMM56vcJ1G+cUWrI6ucSh84eSMzyqE/9eC+fiwLmmAbj5wOLo9BWpPyLe8Bob5VH/v3/XOLqhHEjZAiyKfKNXjdXA/asBHrr6vdE6RsuojdNwafe9yZNY0eLtajTshczztGl4R3a3gDuzQDCXbvinflQFY4BDCvsGgWcMAX/pNdk8ZnO1cwNZ5SCxQSymKd4Wm28caxV2JyBF4I68OpV6uDtm7CniCv65UKPBjB15Go+pEzZ5rfhui6u9eDr8L1ywI5nXvY5ur7Xi8AlUY4kE8ljuiyRKoWgCRdqgVozNeY+MXi4vjbL9HUTH1BQzax3kRcRgTKUt2YijY9cMvgKVpko1G2oDumTkIls/e8s54tKaa0YebgRbtY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39850400004)(346002)(376002)(136003)(396003)(366004)(230922051799003)(186009)(451199024)(64100799003)(1800799009)(2906002)(33656002)(41300700001)(64756008)(66446008)(478600001)(316002)(66476007)(66556008)(7696005)(38100700002)(8936002)(8676002)(54906003)(52536014)(4326008)(76116006)(55016003)(166002)(66946007)(86362001)(5660300002)(44832011)(38070700009)(966005)(99936003)(83380400001)(122000001)(53546011)(6506007)(71200400001)(26005)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m1jPdtISqv7xDfjaoB5VA2uxBrLfhZu5BEbsBuft3D6Lx9B/gw7a3gwpcS5o/on9P9NT4lm2VOt6780YF059nlKYYxob9xDpfMQ3VwyeUtzjl1r238D29Xwzvg8IU0ULBiOQ7EMsff3i2a4QyVp78igrQVpFoa/R232QuEcFmyj3pM1s01pyA7tok6d0xezvTh4pJi0Edq8r/aBozt4HYtomkR0bFlWxq08O9t3v89B+sTb9eJl/uAEst0mSH95rSXMNGOALHW4iHREHOtlJ/evmqIEdBNFWACep27Ef8Xew1bnnLMvILX0g2wtySbgiblSlLWxZEX+JbLhGpOrb9k5fLYj40xieWL7ssWwN6F2pIbhWvduy2q7XVUkrHBufqZgYwKzochJAqZWOO6vg5Cceho6xAVs0G1CzP4ZH0FGqJhOpTVdF6j2DS/+o+KxEGFET0Kml+Vy055Okoes9ftty0LyH/HM+M1cP0JLXV89zddXCAAQgMwHdFeEbUj8idPiYT4oZfWun5FfyYSUipEWGX5rptz/1zXhD/yTeJduPyG9nyOqrg1auowORTxMVuwgdRHqRXOHPNGZcJJLD21JDnLi/95Kb2Krhfe4EvkenfLJB6G8Bx4OIF0kqjQmU3YBphUZ9EX15eXrDxH/msBq2zrkE26XaMa4M5slXr4COvw3qgYTfckVly5HbVnk77mjS4+6ZmqvLvwf2kT2U8unlmkIhG2e97C8rTpcSkqJNxddEtlbuw7wsaK9i1L/bnJ0B+ZGzSE+jN3KPCORkR4DGqhzz6muC0P/75ZkgWLt/KloZdWV/oIQV28WIBSUq3e6rlpXRgJXS153FA/n0osADENmOfUVlCsi13oymzUBoyDZ37PFUsQzMseKSf5FEqTncqRJ5fFhv5tTVUNHNoWLs9D9ZWh/Bw7qeN/scT8Uq4/0VfOEXBdn6OAhT96o0ArTFLaB5rdFgbvZcs6gHL2n6VExdxZC8qlcziujOK+BwucL3w/lxNuycxGHHErv4hhe70RxV38rfnGuLOKmB2Sgp1h49NvUEaDE0dVf3yyFPKt0ebtug6DAiqbF/Lx/eCnzFEon8jDkKr1da9OrsxjRoikT1V5pp3k+JNmPbHdT4izcvcL0B0TA8o2XvsoqYZqqSxElaEdAZioGSMwsuGzWojPsk5L7YTSKYm84pbwbFRxliAxh+A3OM44z12rvTp6bEU04deUA8i3afewTN8sMsfkS5/0etvLQy1MzUc/ebQWUhK3tohIZI2dQMYCvJQALdbmbZSnFzIL1BdhAXHG6iKuddunYF2GP0tI+Il5uOJUyjcWcRFiJCToQiyWDbtmgU2UjZJkA8KtMmaXiUMC9NobSdQciqMV9q+Vx6XJQaMwFzOe0dK1TwXeB/IXZRbubpOmrP4u7KWmbfipwv4SqiVn8N7fIDWRqNlLN4L75sUdgMTGwFb6rUQwLkVMQjZqB87EhcRgnScu4GTNZP14XuMEBHgVZjxuef1QAcOhaQ898jKaqGHmmutZ4UfecYm932DzhmT0lLLcEMMI+DthvUXznSM/GOpunMVu/YEWGDX3LSZtwriIPFjstH1c6SUeEWb4HbfTBhRFi/6MtlIQ==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0311_01DA10BD.01FD6CE0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1842f8eb-ff9c-495e-b6ad-08dbdecbc4e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2023 13:24:56.5646 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: B72WGssdArgcfmohKFG8Il496phZu+M9Gvoo88Q8WBZECkCziwNhS70MunNN+dyYRff/itM2X6/8Tl53xSUYjZQiFKgfP1YsHOtaLzYtWjU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR14MB7252
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QY03e344GUlmqeWQ8vH9_FDCNX4>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 13:25:06 -0000

I’m fine if the cocktail napkin says “we’ll either do A or B, we’re still figuring that out”.

 

What I’m trying to avoid is the situation where everyone has a different notional quantum-safe TLS design in their heads, but nobody realizes it because nobody has bothered to try to write down the details, even at a very high level.

 

If it changes in the future due to new events or analysis, that’s ok too.

 

-Tim

 

From: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> 
Sent: Monday, November 6, 2023 1:14 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: John Mattsson <john.mattsson@ericsson.com>; TLS@ietf.org
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

 

 

(3)-(5) are exactly the hard problems I’ve been thinking a lot about lately.  I’d actually be tempted to say that AuthKEM vs signatures is something we should figure out ASAP.  I read AuthKEM again this morning, and it has a lot of attractive features, but I’m not quite sure what the right answer is yet.

 

I don't think we can settle the future of PQ authentication in TLS just yet — there are still many unknowns. To name a few:

 

1. What signature schemes are on the horizon? MAYO [1] from the NIST signatures on-ramp would be great, if it doesn't turn out to be broken.

 

2. How will the confidence in existing schemes develop? AuthKEM will look different depending on whether it can use Kyber-512 or Kyber-1024. Also, will it replace Dilithium5 or Dilithium2?

 

3. What other higher level changes is the ecosystem able to adopt? For instance Merkle Tree Certs [2].

 

These are all hard questions, and although I do not believe we can answer them now, we should be thinking about them right now. I think we should have different pots on the fire, so to say.

 

Best,

 

 Bas

 

[1] https://pqmayo.org/params-times/

[2] https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/

v2.23.0 | Report a Bug | By Email