IETF Logo Mail Archive

[TLS] Re: Concerns about the current draft.

Bas Westerbaan <bas@cloudflare.com> Mon, 25 August 2025 10:44 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 017DB588F31C for <tls@mail2.ietf.org>; Mon, 25 Aug 2025 03:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NpfBcU3-SeM for <tls@mail2.ietf.org>; Mon, 25 Aug 2025 03:44:31 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5C570588F302 for <tls@ietf.org>; Mon, 25 Aug 2025 03:44:31 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-e96b9022f51so968423276.0 for <tls@ietf.org>; Mon, 25 Aug 2025 03:44:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1756118671; x=1756723471; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OF2ixe/Eeinvf+EOWDsPCeboyUmbCaEwh/uKhTn06UA=; b=EjHSeRz85uZzx9xqxxU3QqlyqGczTQKSkoDUnWdE+QTVBnfi7FJz4tWaXK3O3alb/f hP90bziIE/2y39izl4AyUL2q21dqtUDjWM9SsK0om5MQeu0nE/K8yrr10CAOZ+2oI7YJ YJjDiTyu6IP/onENe1EFZsOhoT7DfKiK2so5wcCdOFObsGTOzegvumP5u6l2Oz/iikoP aREO+kn7V6m2O9mlGtZMgWaY6Ggacbzamw411SJ9+pG55J9wjwymA22WUYsKDOS5JM4e GjHln7x9oLCV9PEFpNuzFD5Aw3u9aNiJu7Y7/ieNMGmfOhXSNpEUkBCC7+Vk0kgejOo0 /mSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756118671; x=1756723471; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OF2ixe/Eeinvf+EOWDsPCeboyUmbCaEwh/uKhTn06UA=; b=p/v8hdBEYWO/4rxxr+DGupOgB53HOoDB69gawtt7jH6UGrVcCRwOm9ZZ0/E2xKgf61 xETfeBfULDhooIXBlHQ0q+0jWKNqh+odkHlveTlf8wQMn5JNsW9sm4XMbQHxcsm6Qt0q JzUYUctw/ap2gdSkJgqW0U7vNv9g9YIgqC95SHoCxYuLs1jLqG4tfJXqkmu7ETB6hH5f T2jhFzF9idzpRFYtdEtioyooQhaOfGIe0pUGMKRGe3XLDeWUBIW2XlmiY7GRhcAkIGeg AOeejUo/qDmGaozn570ma1wNopxlRIG9/SZrwkWi3JCIGxNjpUPetZ9pbn1ndqSqUFRY tAaQ==
X-Gm-Message-State: AOJu0YytiJUjC9nfz9wgVY61yVQs2aKMuScY6eGflGKcsg/t42HMCqtW wd1cgg5ihkrxF0aCS0xEDroIKa+eo4UjJX4MDGhDYrt9JZe0rcI0V3tGtj47h3i6ptJ8fqC9Dio prR0iA/isCTK9rghCAgG0+2AeCqU2yEmO+Gms/R5IRPjdGO7Yv6nzRBvYxQ==
X-Gm-Gg: ASbGncuAeqfin/T42H0bWMfwhGBtzKBzTsN8pefZu3Hk9b39fHp3wdJ52oKWPfkyLoI MwgK6NXbV/rDxm2S4Tf7aIuQSjtYWZUyPl5xeZVMnqsmb/BIjd1IN+uzXZDoXK7h1DiUJuweSY5 YIuCCElLyD43WDoCkQQ4Tm/WlwjEE5IdLisb+LEO2e/9er9FtsUB4cNLcYw4QKpBzHIck03TEba 2BR7X/0TqG/RXVK/l8c5vAFepxoyGYInQUPv4bl2X8JNIqUxBo15JNBj4m0kkhD6OJMXJVbqTm1 82ikPwbIQrmktwglXaUSjShWawyoKWLgNliB9IQVXNFjMFuWMy6ebfe7
X-Google-Smtp-Source: AGHT+IHHGIZVxE6NcTh93WgvzgU1HsIzzqeZQ19a8N0SM75RDhi9LqMbOb2DXi3NFG/u8LVw1Pys7ApMar9+37wQ1os=
X-Received: by 2002:a05:690c:c81:b0:71c:1395:c8dc with SMTP id 00721157ae682-71fdc2b0982mr112932077b3.5.1756118670569; Mon, 25 Aug 2025 03:44:30 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR07MB9683AED41B66451E26CBC84AD024A@PH0PR07MB9683.namprd07.prod.outlook.com>
In-Reply-To: <PH0PR07MB9683AED41B66451E26CBC84AD024A@PH0PR07MB9683.namprd07.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Mon, 25 Aug 2025 12:44:19 +0200
X-Gm-Features: Ac12FXymihKldsJsOI5L0tl0UH9f8DJg5r9VAyM-07vKnTdQoCNEm3oHwSt-PQg
Message-ID: <CAMjbhoWgCPNJOZ56s4LZVFDhcf7RLGG-Os9=oB=n=k7BJ8gUug@mail.gmail.com>
To: ma bing <bingmatv@outlook.com>
Content-Type: multipart/alternative; boundary="0000000000008b2403063d2e3d80"
Message-ID-Hash: IM335RNEZ6GKZBCLCS53GZ4D4BUURDL3
X-Message-ID-Hash: IM335RNEZ6GKZBCLCS53GZ4D4BUURDL3
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RSCFT0__CA_HgpRdVV64qEEj-Ng>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Thanks Eric. Let me add a few more words.

Although opinions differ on whether Grover's algorithm will ever be
practical, there is no debate that attacks with Grover's algorithm are much
further out in the future than Shor. There are some advantages moving to
256 bit symmetric ciphers apart from countering Grover, and it's not that
expensive, so quite a few experts will not bother debunking the misleading
"we must double symmetric key size because of quantum". I have two
objections with that though.

To start, I do not think we have enough time and resources to migrate
everything. Not by a long shot. I would rather have someone spend their
limited efforts on upgrading RSA somewhere, instead of AES-128.

Secondly, if we do insist on AES-256, then we must match our asymmetric
cryptography to that as well. In stark contrast to symmetric cryptography,
moving to 256 bits for asymmetric cryptography is much more expensive.

Now, you might also notice that ML-KEM-768 is designed to match AES-192,
whereas X25519 roughly matches AES-128. That's intentional: we picked
ML-KEM-768 not to match AES-192, but to have a big margin on top of AES-128
in case there is cryptanalytic advance.

Finally I would like to note another reason for traditional/PQC hybrids.
Most people simply don't care about post quantum cryptography, but they do
care about their existing security or compliance. Many of our customers
would be quite uncomfortable with us switching completely to some
newfangled cryptography. It can be done, but it takes more time, and I
don't think we have that much time left. Hybrids sidestep the problem, as
it will allow us to deploy PQC by default.

Best,

 Bas


On Sun, Aug 24, 2025 at 10:35 PM ma bing <bingmatv@outlook.com> wrote:

> Some websites including Google is using the experimental ECC+Kyber hybrid
> solution, but Google and others  still use AES-128, quantum computer can
> weaken 128-bit symmetric encryption to 64-bit security, it's the 1st
> concern. So the draft should only use AES-256. And NSA suggests
> 1024-dimensional MLKEM, the 2nd concern is that Google and others use
> MLKEM768. The 3rd concern is that the draft uses ECC in addition to Kyber.
> NIST has approved HQC (Hamming Quasi-Cyclic) in addition to the already
> approved ciphers, I suggest to switch from ECC+Kyber to HQC+Kyber; Since
> ECC is vulnerable to quantum computer, using ECC+Kyber is likely a false
> positive, so I think HQC+Kyber is better. In conclusion, I think there are
> 3 concerns.
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status