[TLS] What is the TLS WG plan for quantum-resistant algorithms?
John Mattsson <john.mattsson@ericsson.com> Mon, 06 November 2023 09:09 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A89CC14CE47 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 01:09:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxD9cSzquwGS for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 01:09:37 -0800 (PST)
Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2052.outbound.protection.outlook.com [40.107.105.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55E81C110D2D for <tls@ietf.org>; Mon, 6 Nov 2023 01:09:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wb4xV/DxfR4xZiOKh7+2W23rk50HzLK1pSbOxpE40owZNywfaPv949lCX2gPcN7lxXugrk+WPubHQ/2n7H2min7A4MMJhwN4zE1gGTJNcrsnV/16XBJw12qproB2ocIIKJtJk+LNfSPh5IYqr4jOIEJWjqLqSAIvR9pMkOA+mVCkK5S6a9NSg0U+B4Ro0GUdZx4dodiVMEyvOY877E1g0D+OX2hBEVRhmwY03x5aP8L6IpVdlQvi5jDr11AvxY92SG0Xpzepc3VJfigdXY1hYZCA/Py/IYIMcPUWWCKUNtoMbM89Hi3dRldua2D/1ZiXyCncyJBoixLgdHJDHHYWpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZCQN5zbPniIOXVYASHAbjKMaPiwHDWu++4fh1G7FD4E=; b=IuiwjVpWAVlY62PcBWSobt57FUtcQoGWLshd3ClD6iFrTK/ZIL3UcimHWMbpAurGJVdmhOQlbTo8iUc9QrlrkXMRUMQ18SXiUtP7O3CwM9+75ZxwfJuhLrjzZhapvQuC+9ZSkIEHBSuyeH98nADtGRy9UoDmSyPmRnKBnHX85sJb/QWT1dojN8+bAJQFJsdot9G00O5H53j5+J3vU/RBFeqnzqE1hHI9U8jdYit2UPlHgoNifFTOBltN707W7c2jI/K2WTm7zeXigeYrwhBiW64Ny4SuIpOzVyV77MCdgqoHyKeageuvTLzADwGddmgxs/Kg3ZhIEwSkPNttJOmYxA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZCQN5zbPniIOXVYASHAbjKMaPiwHDWu++4fh1G7FD4E=; b=u/kC81BB/W9WOf5J9Y96PXhAbY6sgN2va/9BBeStXVZo6xoe/nxIfbahYg0a0Vpy44F26ecAHmX0Rz+0TmthvzSX8QtIqPjBwIHCYs6xxavQJezE5KrTefITj1KU0AUk/I2GIs1SLGHbAHHlNQJqC7zJCujymt9g/RFdPnjEFnYRV6bP2qFmB1+l5dXyj5VkPk5tJuMe7ttFA4Yey9i1n82Zke1+0tAVyUFljZtJadkwFWeSoJFt7UTJr+FgR54SYegd80zASIuivLy5lUjir6cX/C6gohmFKhpVzbc+ur6CRnd3mWD9COGj+ovC9UQG/7gX/bVeeiSEMNyDCl7q6w==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB9126.eurprd07.prod.outlook.com (2603:10a6:10:3d6::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.27; Mon, 6 Nov 2023 09:09:31 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb%2]) with mapi id 15.20.6954.027; Mon, 6 Nov 2023 09:09:31 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: What is the TLS WG plan for quantum-resistant algorithms?
Thread-Index: AQHaEJDz6/DbjxAcXU+Uz3jNUE3liQ==
Date: Mon, 06 Nov 2023 09:09:31 +0000
Message-ID: <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <169413407847.21904.934194480456263049@ietfa.amsl.com>
In-Reply-To: <169413407847.21904.934194480456263049@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB9126:EE_
x-ms-office365-filtering-correlation-id: dd30701b-8d4c-473b-3a81-08dbdea81639
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DvmiAPah5jxErTDt7Mf+4kus9qec6KfEPIiWO6Dk/QHI3B2/RFe7JOPdUopUZS0/gfa2e2dD0ZjQfFhsXBL69KsnIzG2bxcS1Vpdx62/KpqMGQL9qzhp4lRAKmhNrIjF2VJoyH18XfWSadDEEEwIej615Kgsw6PgutGlso5t0yhYdzkLdIb1w2XNBPKMNgTGeAFtTKF3y4KatEyUJfs6DTGSVuUCdusSr9s31LD9oYFxZllVTuMwggWUnyxm+wfON4CdvYeGj4d86MBsNJTxfMOdIkOg9BHssJdO28OMuYRsShWrUZZ7bFMsoa++NlZZVItaKGwt9wvvim/Kz0jrynrkMnTaGLDm1sAe8NFd84vOYgYxrLtUvxrkyuU3eUaKNkbgIyI5Sea6SA2oDELNGXsWyaJOXYUGi2sETxthhY4Bf8ZqHlrSfJzVf/NXdNHSPU9Gydzd3LTEq0uUWSzkWBXpbBgfJNsqg2JuEOJSU+Lmv4EyU51d+X0Wpoi8xvnF8rWTUlEaVWKI1MMq6qchne/qXKvG+7MK6fVy+3BNRFcXJiW3CKjLm9dmoK11GyhGZ5INzB/XryByHl73pE4PYkKYYfjQowuKe8R6fXlvO/edPrlawtldX5n/M6h7mSoWFkJyAjx+QyTavXkiAgbUa3h1F0cAN1tN33/tqWG486hMug1wC1SJhAOk8WF9LXOg
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(366004)(376002)(39860400002)(136003)(396003)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(8676002)(316002)(41300700001)(8936002)(2906002)(38100700002)(5660300002)(55016003)(966005)(53546011)(66899024)(66476007)(9686003)(33656002)(6916009)(66446008)(64756008)(86362001)(44832011)(166002)(21615005)(52536014)(4743002)(66556008)(76116006)(66946007)(83380400001)(66574015)(26005)(82960400001)(38070700009)(122000001)(71200400001)(6506007)(478600001)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UKuh5M1hREiy08NBLDtvPK1ZAgXeitpCJlUfFJSeYEGT/FmzVt9sHE4jHaTJwXY7NpfNvVKwxjnCL0jRMAHEILFsJYtBZmfkNFytB9H4hb7ydE6aUvceW9tCMJAGpdYm+L7EgflxbFUJFNsC8l90NxyHilv+MG8GjBRe5h4RoqrG30NPHvKDnnr9/n/hsg0PngYLW6csVux/ipM6wUIboiVUXLpCCfqUZi+0LmG18R18oThjL+AOcnGFvJ39JwnuqH4iRmz3OZj2KAK5laql6NFwgonUBsIinf2PkEmD6vs2WCIcIRH7UzzQdkadZIDNGquh3trsSaRRty07zu9ZEmZWsTXPjIet/qOcDVsgDYQLUTbRCJ7GPwgscggiO5ZFoUE/ysuznJrqPg0KWn9hSO16pxiv9YYUjpUKXkNobYOouWIP0hPqwROOFuXUcZfPf9Tt5U+vHf4X5327yBY2aWcPMamn0lfzY5dzPVyvFpuS9HkS5H2T/kMfpVoopfE/BgTMJ+nw/AnN9/RsAe/oWiMsorUlPj3MtFCxgRYEpNnBzDubUU1Czz1OzJ+J1oHsnbwKO4so3HDRD25DnRhXW4mMg2HIGNR40gI8jxu7VtwaQc5p6DoefQngyDYwfrFI1ULHefrqA07iN6yWRHLZsTVaW0n1wvfUDkMbe3XmmJ6EI+cyNwBTBHjo+oxCgvhNjXEKhvuuy84Vxbm9NDv3KctVabPj+jQrhz1nkID+CGKQDaEJTRICcrkBIzi4P3eu+Okxb90SZTemHxVtBwe129eDu7/dL5u+n68hPdLtIIBlSfDki+tyO3SLvLUeO/rHeiormbasFjGPZEsVtIC6w4u1l1jTzfqw2iAIzzWfwyxrpnMWj7IY6V+tEJkFktolstsoFQHKY99ZJ6QQ+f+jnLULIRYRa9DmuZwstXldJXFs1dFOALydcajFXhwS/y/ZcTlY4O1GBXZIvWyvdRBCSutqTg45eZqVy3QmMjsYSCSdrRiAZzE2t8puc/NgCXIvDNI1O9DrhpzlGVWFnJ6im1S91Z5EeYrQC4kq+Ee4Q+pnWZTE/lXN4+O8DPS/oa0hMRIImYtNitZAy6VNjFobqB5NuHgu36GzQJc6cxuvNZgOpKVQ7hbss6h7Xm4EW1fpxxh87/V7GsBDxe454ijEV01ipHze1B/71QO3c0SxohBwqKaH9OBlLduojPfBVIo2yzOd+8itDKrsbKQwgxKIMhSxNqbVDVZ/eorjKq84YXhq1ooq0Lpa9+FO2AGc+Wukmk6wmI7C6rH00jzyfTr1IF8Vq9XwKPxnj2tR805RkX86ajbxCl+RHkFXuv+U2Faej+jz+1+lmOSymZIBR1lDhy3mahlVus10Vn3g9tr5ponjo06fv2fGaWXNV3Kn8z0vX5O0lDepn+xje913sBipt9yxLZXBBTgXpDv/sq2T69aWLQQm0rbxkId6jDS1z+sw0Yjf3H6lQngsknCdb71YijMAL/kvPanBXuCmmYA+yhSNCZd2fwRV8lbzg+OWEkay6kyLIa2thFHql3Sabp5jdLV9rWi5quiejuwWA9hmWav0a/IqjnU7muxjqHMc8lK4tIfO0sTZzcbd3Az1xk9Z09YXy87utSYiB6yyENGCD/4=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96787EDDFD97A9E32AC6226389AAAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dd30701b-8d4c-473b-3a81-08dbdea81639
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2023 09:09:31.1563 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3OoP3u2PWbZiYEu/bXWsJkKijPMdhcvbPOYhCCL9PXCW072NEPX+OXV5upkZQwyIKPvuGtLirOnEk8ijW5lQ7fs/rFq1S+8gPwkvXDS2KvM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB9126
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SGOlqfUoEhQErpeHxe60_NqvXow>
Subject: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 09:09:41 -0000
Hi, NIST has released draft standards for ML-KEM, ML-DSA, and ML-SLH. Final standards are expected in Q1 2024. https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography I would like to have standard track TLS (and DTLS, QUIC) RFCs for ML-KEM and ML-DSA (all security levels standardized by NIST) as soon as possible after the final NIST standards are ready. 3GPP is relying almost exclusively on IETF RFCs for uses of public key cryptography (the exception is ECIES for IMSI encryption but that will likely use HPKE with ML-KEM in the future). Looking at the TLS document list, it seems severely lacking when it comes to ML-KEM, ML-DSA… The adopted draft-ietf-tls-hybrid-design is an informal draft dealing with the pre-standard Kyber. https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ AuthKEM is a quite big change to TLS https://datatracker.ietf.org/doc/draft-wiggers-tls-authkem-psk/ This is not adopted, informal, and dealing with the pre-standard Kyber. https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/ What is the TLS WG plan for quantum-resistant algorithms? My current view is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87 registered asap. For hybrid key exchange I think X25519 and X448 are the only options that make sense. For hybrid signing, ECDSA, EdDSA, and RSA could all make sense. Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org> Date: Friday, 8 September 2023 at 02:48 To: i-d-announce@ietf.org <i-d-announce@ietf.org> Cc: tls@ietf.org <tls@ietf.org> Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-09.txt Internet-Draft draft-ietf-tls-hybrid-design-09.txt is now available. It is a work item of the Transport Layer Security (TLS) WG of the IETF. Title: Hybrid key exchange in TLS 1.3 Authors: Douglas Stebila Scott Fluhrer Shay Gueron Name: draft-ietf-tls-hybrid-design-09.txt Pages: 23 Dates: 2023-09-07 Abstract: Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c404f4af2592f2f4&q=1&e=367fabf2-370b-4cec-b657-05a8499decf6&u=https%3A%2F%2Fgithub.com%2Fdstebila%2Fdraft-ietf-tls-hybrid-design. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-09 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-09… internet-drafts
- [TLS] What is the TLS WG plan for quantum-resista… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Krzysztof Kwiatkowski
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Tim Hollebeek
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Tim Hollebeek
- Re: [TLS] What is the TLS WG plan for quantum-res… Thom Wiggers
- Re: [TLS] What is the TLS WG plan for quantum-res… Kampanakis, Panos
- Re: [TLS] What is the TLS WG plan for quantum-res… Watson Ladd
- Re: [TLS] What is the TLS WG plan for quantum-res… Deirdre Connolly
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Kris Kwiatkowski
- Re: [TLS] What is the TLS WG plan for quantum-res… Bas Westerbaan
- Re: [TLS] What is the TLS WG plan for quantum-res… Watson Ladd
- Re: [TLS] [EXT] Re: What is the TLS WG plan for q… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] What is the TLS WG plan for quantum-res… Yoav Nir
- Re: [TLS] [EXT] Re: What is the TLS WG plan for q… Yoav Nir
- Re: [TLS] What is the TLS WG plan for quantum-res… Scott Fluhrer (sfluhrer)
- Re: [TLS] What is the TLS WG plan for quantum-res… Yoav Nir
- Re: [TLS] What is the TLS WG plan for quantum-res… Scott Fluhrer (sfluhrer)
- Re: [TLS] What is the TLS WG plan for quantum-res… D. J. Bernstein
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… D. J. Bernstein
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Dan Brown
- Re: [TLS] What is the TLS WG plan for quantum-res… Loganaden Velvindron
- Re: [TLS] What is the TLS WG plan for quantum-res… Yoav Nir
- Re: [TLS] What is the TLS WG plan for quantum-res… Sophie Schmieg
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Ilari Liusvaara
- Re: [TLS] What is the TLS WG plan for quantum-res… Scott Fluhrer (sfluhrer)
- Re: [TLS] What is the TLS WG plan for quantum-res… Deirdre Connolly
- Re: [TLS] What is the TLS WG plan for quantum-res… John Mattsson
- Re: [TLS] What is the TLS WG plan for quantum-res… Thom Wiggers
- Re: [TLS] What is the TLS WG plan for quantum-res… D. J. Bernstein