Re: [TLS] Options for negotiating hybrid key exchanges for postquantum

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 30 July 2019 20:20 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFB3120024 for <tls@ietfa.amsl.com>; Tue, 30 Jul 2019 13:20:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=QAjekeK1; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=MCF3bOso
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHsk32wRRYu8 for <tls@ietfa.amsl.com>; Tue, 30 Jul 2019 13:20:10 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 094C312001A for <tls@ietf.org>; Tue, 30 Jul 2019 13:20:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3516; q=dns/txt; s=iport; t=1564518009; x=1565727609; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=QLf24tAcri98XNCSBHgYfGD0ZxpZDZY9vqEdr/MYhZA=; b=QAjekeK1BU7dMFy5g0JXbMwqbZJQ7cnOWRvjaHaHMlODNTieieOSPQk2 f1MQxN8rlj2SIXGTBzGXMtqbAimuoojPLEdYKIYk0eQCHI966YBOAuWe6 y30Y0KUDmHLB3FYZ2mCM97dwi6BoGe9vi0LX1jEvjfJyuMBvYv2UOFp8c w=;
IronPort-PHdr: =?us-ascii?q?9a23=3A1/+9jRdo+JFWIDNl75WBJ9WBlGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwGQD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFn?= =?us-ascii?q?pnwd4TgxRmBceEDUPhK/u/dCI+AcRYWUVN9HCgOk8TE8H7NBXf?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B8AAC2pUBd/5NdJa1lGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBZ4FEUAOBQiAECyoKhBSDRwONBoJbfohWjgCCUgNUCQE?= =?us-ascii?q?BAQwBAS0CAQGEQAIXgisjOBMBAwEBBAEBAgEGbYUeDIVKAQEBAQIBEhERDAE?= =?us-ascii?q?BNwELBAIBCBEEAQEBAgImAgICHxEVCAgBAQQBDQUIGoRrAw4PAaFeAoE4iGB?= =?us-ascii?q?xgTKCegEBBYUJDQuCEwmBDCiLYBeBQD+BEUaCFwcuPoIagiwVgnQygiaOfpt?= =?us-ascii?q?DQAkCghqLCYUWhBKYEY09iUGOGQIEAgQFAg4BAQWBZyGBWHAVO4JsgkIMBRK?= =?us-ascii?q?DTopTcoEpjCwBgSABAQ?=
X-IronPort-AV: E=Sophos;i="5.64,327,1559520000"; d="scan'208";a="607790101"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jul 2019 20:20:04 +0000
Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id x6UKK2Sa006147 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 30 Jul 2019 20:20:03 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 30 Jul 2019 15:20:01 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 30 Jul 2019 15:20:01 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 30 Jul 2019 15:20:01 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aU1BR42PpwczBsmJQtOmZg57Dndv5dQm1NbkIyvvLzdZXJiug6vWav+hKWLlNFruHsByrS2ZpEUehwx+EhPjG26XFWUmCb7pQgNqjhzTmnL7dFaxLa1Q1Wf1vzDeGs/pSewlmcuZBD+JJBhrz5v+PLsmXgX9pHgmSzPZiyNIQMJlfLvczKXVkdNBD7zJMRCvqpCooSKajS8K+kOl80e8WFfd5R6WANQVfUAlXHJ61yAegrAWLZ4KZer6eT3JdWwj8bQt2uiq6RLTjluvW2iFIA0v9pjyu7eNZDjb6vgr0S6JfMd9IilcfUdWPmhvbr/vt3OAD5wnfg0IV7/ZWE+bTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QLf24tAcri98XNCSBHgYfGD0ZxpZDZY9vqEdr/MYhZA=; b=gwaThj2x481ci565heK49zt26DzvmMngYQhj9f3eqS8kRcVpPxSspEEot04JtJD/PicaQJa8DMd1L8bAS34fyzbIiiBhTItPCDcBsA2vrn97OxYZGG87HUdA7VqMPXZ8kLCMssYSPel+3JFscfQOHMX2YFrZYEuAyMA09TKZGpmbc6FTB7c2KzvTOBWx01A6qh8mTMlZqxLYOKfe7P1EKZpkFEFPyaClWP64i3OSjKTkBZkumP9ffb5ar5/3Mdm1sBeLYutmYX4GK80SK5cBS7KdhaEYSGAn96cmCVsYDKLypWkt3ZqGZmM6BeUTdUve3F1+c8FhC/UGQ5+iOBb3mA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QLf24tAcri98XNCSBHgYfGD0ZxpZDZY9vqEdr/MYhZA=; b=MCF3bOsoKiGmI73P6Hk5n1qq7u61PajoBoDzYZ7r3wdv/+m0iHG5ZG+XZJ+dtn6G0iuaTdbSt6GYOPx6V4qe+mz/68EajE1j3jccVGCVDV17qGR/50vu8YcyU9A3Iq2vLZp6C75vg3MU5Pa26IqwaQwe+T0g6HsDT9um0kr1WbU=
Received: from MN2PR11MB3871.namprd11.prod.outlook.com (10.255.180.204) by MN2PR11MB4125.namprd11.prod.outlook.com (20.179.150.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.13; Tue, 30 Jul 2019 20:19:59 +0000
Received: from MN2PR11MB3871.namprd11.prod.outlook.com ([fe80::4c5:965:c7b7:387b]) by MN2PR11MB3871.namprd11.prod.outlook.com ([fe80::4c5:965:c7b7:387b%3]) with mapi id 15.20.2115.005; Tue, 30 Jul 2019 20:19:59 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Watson Ladd <watsonbladd@gmail.com>
CC: TLS List <tls@ietf.org>
Thread-Topic: [TLS] Options for negotiating hybrid key exchanges for postquantum
Thread-Index: AdVG1haOE+yO4N1wQQSyYtQ5VKKSwAAHEKmAAAOq4EAAA9c6AAAAqcNw
Date: Tue, 30 Jul 2019 20:19:59 +0000
Message-ID: <MN2PR11MB38717351DFE893C375BB90FCC1DC0@MN2PR11MB3871.namprd11.prod.outlook.com>
References: <MN2PR11MB38719A31081434FEF6A84999C1DC0@MN2PR11MB3871.namprd11.prod.outlook.com> <CACsn0c=bmsyDPhTUtCcEv1WnnsR8OmDO67TFTu1aWSxikESOEA@mail.gmail.com> <MN2PR11MB3871829A35631EE2724335C7C1DC0@MN2PR11MB3871.namprd11.prod.outlook.com> <663791e0-1a2a-27cd-f1c7-20658eb0b9f5@cs.tcd.ie>
In-Reply-To: <663791e0-1a2a-27cd-f1c7-20658eb0b9f5@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d64522e9-8595-4299-877a-08d7152b4bfe
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB4125;
x-ms-traffictypediagnostic: MN2PR11MB4125:
x-microsoft-antispam-prvs: <MN2PR11MB412538FDC6CB1693839B0F39C1DC0@MN2PR11MB4125.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(366004)(39860400002)(136003)(376002)(346002)(189003)(199004)(13464003)(4326008)(81166006)(66556008)(486006)(33656002)(6436002)(81156014)(9686003)(6116002)(55016002)(6246003)(2906002)(110136005)(66066001)(53936002)(478600001)(476003)(99286004)(8936002)(26005)(5660300002)(14444005)(8676002)(7696005)(66446008)(256004)(53546011)(52536014)(186003)(229853002)(316002)(3846002)(102836004)(14454004)(71190400001)(86362001)(76176011)(66476007)(296002)(25786009)(76116006)(305945005)(6506007)(68736007)(446003)(64756008)(71200400001)(66946007)(74316002)(11346002)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4125; H:MN2PR11MB3871.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: DUnaz3ByS8tsiSmj4Qry2cBMg8Aqx/SQOverAl/dU4Uchq4grQla9DQ1tJJbxLqep2Wa2taLB0Oi7YTGwWsXb+O+IaQjWQpZPrt963yuP+nhM2D4MkzmcrsXjyYOSOSy4rgLw8XV7Y9kOmn/q3tQWRlUSO8Oo/KkRRbhdPLywaOisige/X+DCSzrkQl7rCOyTjzgAyUTMlIc1SqLABw9J+YqVHqKGszUK89dfIJupIG6wwSEwRdhLFvjFDb77x9twb7K7S1x4VlhEsg46MSthF+SrZ2TmD0Ee3bjtdcVy22FkhV85yvmLuPxhnh7Qbo2Si8jaiitxcmyYA3mE8uPpEDE2/1hNb9z0B7x5YIU72FCLVYm5iPaNGR7w34NeX+KfULtZXOTwILuB5IUzDL0zXwrQ/89oyNWcTDNLORL83M=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d64522e9-8595-4299-877a-08d7152b4bfe
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2019 20:19:59.6814 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sfluhrer@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4125
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xch-aln-008.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/S7-BaU61Lt66_yi8izayubTnMck>
Subject: Re: [TLS] Options for negotiating hybrid key exchanges for postquantum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 20:20:12 -0000

> -----Original Message-----
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>;
> Sent: Tuesday, July 30, 2019 3:53 PM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>;; Watson Ladd
> <watsonbladd@gmail.com>;
> Cc: TLS List <tls@ietf.org>;
> Subject: Re: [TLS] Options for negotiating hybrid key exchanges for
> postquantum
> 
> 
> I'm neutral as to how we represent this stuff for the moment as I think it's
> too early to tell until we get closer to the end of the algorithms competition.

I'm of the opposite opinion; I think it is important to get this settled before (or at the time) the algorithm competition ends.  I really wouldn't want to see us wait for NIST to settle on (say) SIKE and NewHope, and then have us spend another year or two debating on how to integrate them into our protocols.  Instead, I would rather spend the year or two now (when we're not on the critical path).

Now, there are certainly things we don't know yet about the results of the competition (how many algorithms, what types of parameter sets, what sizes of key shares do they have); however (based on the current round 2 submissions) we can certainly have some informed suspicions...

> 
> That said, I do want to second this...
> 
> On 30/07/2019 19:41, Scott Fluhrer (sfluhrer) wrote:
> > Here is one opinion (mine, but I'm pretty sure it is shared by
> > others): the various NIST candidates are based on hard problems that
> > were only recently studied (e.g. supersingular isogenies, Quasicyclic
> > codes), or have cryptanalytic methods that are quite difficult to
> > fully assess (e.g. Lattices).  Even after NIST and CFRG have blessed
> > one or more of them, it would seem reasonable to me that we wouldn't
> > want to place all our security eggs in that one basket.  We currently
> > place all our trust in DH or ECDH; however those have been studied for
> > 30+ years - we are not there yet for most of the postquantum
> > algorithms.
> >
> > Hence, it seems reasonable to me that we give users the option of
> > being able to rely on multiple methods.
> The only person with whom I've spoken who said he'd plan to deploy some
> of this soon is a VPN operator who explicitly wanted to start early and use >1
> PQ scheme (3-4 is what he
> said) plus a current scheme. His expectation was that that'd settle down to
> one PQ scheme, or one PQ and a current one, in time, but that time may be a
> decade after he'd like to start.
> 
> So, to the extent it matters, count me as a +1 for supporting that.
> 
> Cheers,
> S.