IETF Logo Mail Archive

Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space

Eric Rescorla <ekr@rtfm.com> Fri, 29 March 2024 21:14 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A807C14F610 for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 14:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.893
X-Spam-Level:
X-Spam-Status: No, score=-6.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6_7pvukvZCk for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 14:14:07 -0700 (PDT)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB72C14F6A6 for <tls@ietf.org>; Fri, 29 Mar 2024 14:13:49 -0700 (PDT)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-61444fb1d2bso7865067b3.3 for <tls@ietf.org>; Fri, 29 Mar 2024 14:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1711746828; x=1712351628; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fkFxzxFnCY6HYicYD5BRq9T1OV2izoBXyhYnA3RsKEE=; b=pb+dvQF8VlPKelfLB4B4bibMOejUBW2s1/3Td05fBAtI0uXyCSORLGX63d4st8LA3e VmSqM7sGG8HQ5GEFpru6vUi3gSGdo106hWIY6+HN2/4D/y/GD1N3Jd5usD8j8OnLIzLa A9rtqNLbuKLzQyAuIA+4VhK0y0ngzHHuyeJ2BIGZAlcg8iGp0+5OOgHjrL5VF3DOdeCJ Yavsa6DY2Zy+491MM4BwfuRdvgM/MH8fJNFu0bPGQmHmSoOawnM1gAjbnVNsK2Kv/K5B 1P9cXikXgRLn1RhgEHnFLllhXrYddxpEK90/yBU8DLIEv5V/4SbDreEaPs5MJt+bH6ss Ibgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711746828; x=1712351628; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fkFxzxFnCY6HYicYD5BRq9T1OV2izoBXyhYnA3RsKEE=; b=L6qmDl2VPr4SF6XjU1jUcIxpjpaWj8l3SJNuHSNkgQ8UL6o9Goxj6nVb1CwMBfHegX N8J0MGUyyIgdM0i9UmaS7jgHKZsr3TbFmmyvMVxfY9LMKbpUH0cH9pOmSJgjcx7TBp8B uIToG/fZ1zCoJgZwuorMy0pTZoEdzD5EyYlqrYMlo/u2t9hInDRlVdRE6FSE/eNQtQf6 oYXjqKKDsn+XB+NUlD0V2NhiHIhgEtfCMo0IKwQAo7z1ObYD338Y2MOxyEX+O+XKdB+I FK4pDFYxCJP4wVT3DcytIrmHEDpUBSEwVAzmjJmQ8vdvrAysIqWv5Dm6NhKbJYGixKe3 xUuQ==
X-Forwarded-Encrypted: i=1; AJvYcCX5v1tc3jmwEHXkohQiREvVItcFTtd9uVB559m9Rj8xi5vVnvf0BePt0BSihnzaU2ycH/+z/YPw+bph61I=
X-Gm-Message-State: AOJu0YzrIeGsN7SR9CPhWoy7XgVKQX7YlrlDI+pcEtPul4SoG5z/dexB 6XCDmHo5W7roe51GSeTnJwi2aTR4kBIMzXAr730aTBqjDELcklRDYtsR6FKo0kH8hotxJUnaMBV VVi0jALRnMnWOUkanHOj66DW2uxfCDo9XgWCGoA==
X-Google-Smtp-Source: AGHT+IHlXHh07dqS6f+8zGKuiit24de/5ZafEhevfZM5ZVtEQNa5tjig7VzVgZv41uBljo9TcrDI4f1bSh/7Zpwv8/s=
X-Received: by 2002:a81:6c89:0:b0:609:7055:f725 with SMTP id h131-20020a816c89000000b006097055f725mr3322513ywc.18.1711746828188; Fri, 29 Mar 2024 14:13:48 -0700 (PDT)
MIME-Version: 1.0
References: <B5E1CFD9-32F5-482E-B305-2D739AD273BA@sn3rd.com> <0BC652C3-9BBF-4E18-97D1-4036EA16C9E4@vigilsec.com> <CAFR824w7TrCugQqevmcGarmA2_yQuBz1rFLdg2yejpKL6PiS_w@mail.gmail.com>
In-Reply-To: <CAFR824w7TrCugQqevmcGarmA2_yQuBz1rFLdg2yejpKL6PiS_w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 29 Mar 2024 14:13:11 -0700
Message-ID: <CABcZeBMcNpQcGNjpd4PJyy1aFCYCGqrJaHWUJaNagPSVPyhH-A@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a3dfc80614d31dc3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RKogLnckXQS2vYyGvuoVN5Ig40A>
Subject: Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 21:14:12 -0000

On Fri, Mar 29, 2024 at 1:42 PM Deirdre Connolly <durumcrustulum@gmail.com>
wrote:

> > KEMs are not "key agreement" algorithms as suggested by this draft
> name.  In a key agreement algorithm, both parties contribute to the shared
> secret.  With a KEM, only one party generates the the shared secreat value.
>
> This is not generally accurate with the KEM schemes under consideration
> for adoption by any standards bodies: in the -hybrid-design and
> -mlkem-key-agreement documents, the `Client` generates an ephemeral
> keypair, and the `Server` encapsulates to that keypair, but especially in
> ML-KEM which is under consideration in both documents, the KEM randomly
> sampled message `m` is sampled by the `Server` but the final
> `shared_secret` resulting from `Encaps` and `Decaps` is based on computing
> over the message `m`, the public key `PK` generated by the `Client`, as
> well as the randomized ciphertext `CT` generated by the `Server`. The
> encapsulated message `m` is not actually the `shared_secret` that is the
> input to the TLS 1.3  key schedule, even independent of the entire
> handshake transcript being included into the full key schedule as well.
>
> The naming of the document excluded 'key exchange' and 'key
> establishment', and went with 'key agreement', but that is a weakly held
> name,
>

I would probably rank order these as establishment > agreement > exchange,
but I'm not going to argue about these.

-Ekr


> On Thu, Mar 28, 2024 at 5:08 PM Russ Housley <housley@vigilsec.com> wrote:
>
>> Sean:
>>
>> I observe that ML-KEM is not a Elliptic curve group or a Finite Field
>> Diffie-Hellman group.  I really think we want to include sepport for KEMs.
>> but a separate range is needed.  I assume it will be carved out of the
>> Elliptic curve group range.
>>
>> KEMs are not "key agreement" algorithms as suggested by this draft name.
>> In a key agreement algorithm, both parties contribute to the shared
>> secret.  With a KEM, only one party generates the the shared secreat value.
>>
>> Russ
>>
>> > On Mar 28, 2024, at 10:52 AM, Sean Turner <sean@sn3rd.com> wrote:
>> >
>> > <author hat>
>> >
>> > **WARNING: Potential bikeshed**
>> >
>> > -connolly-tls-mlkem-key-agreement has suggested that code points for
>> the NIST PQ be registered in the TLS Supported Groups IANA registry [1].
>> Currently [2], the registry is carved up into three blocks as follows:
>> >
>> > Range: 0-255, 512-65535
>> > Registration Procedures: Specification Required
>> > Note: Elliptic curve groups
>> >
>> > Range 256-511
>> > Registration Procedures: Specification Required
>> > Note: Finite Field Diffie-Hellman groups
>> >
>> > Assuming that the proposal in -connolly-tls-mlkem-key-agreement is the
>> path for PQ KEM algorithms (and maybe regardless of whether this is the
>> path), we should really replace the “Elliptic curve groups” note in the
>> 0-255, 512-65535 range row with something else.  I am open to suggestions,
>> but would like to propose “unallocated”. I have submitted the following
>> issue:
>> > https://github.com/tlswg/rfc8447bis/issues/54
>> > and this PR:
>> > https://github.com/tlswg/rfc8447bis/pull/55
>> > to address this.
>> >
>> > spt
>> >
>> > [1]
>> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
>> >
>> > [2] Originally, RFC 8442 defined the name of the registry as "EC Named
>> Curve Registry” and then RFC 7919 re-named it “Supported Groups” and carved
>> out the FFDH space.
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email