IETF Logo Mail Archive

[TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 02 April 2025 04:47 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AB7151635839 for <tls@mail2.ietf.org>; Tue, 1 Apr 2025 21:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdOfQS0OVIqt for <tls@mail2.ietf.org>; Tue, 1 Apr 2025 21:47:49 -0700 (PDT)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AF2091635834 for <tls@ietf.org>; Tue, 1 Apr 2025 21:47:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1743569266; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : from; bh=ShO/k7HMN7qxoG9WZR0mwaufzsqx4UZ9uDaRE4PLc28=; b=VV+XaRpy0RocWNx2E500mah6ybreQmaXCaPh7YLOVymad2WkKQLMw26bKFi+FIvhaJ9yB Pgy6PfAv8evmKVR08mneLhxqpeHbqoOyT16hVGD2ROolxHvkTy71Fv0/CeSBC0JovZUZAFI Wz9J9qmp/F+epav1eO2WyJ4Gfq2b19c=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 5883A86950B; Wed, 02 Apr 2025 15:47:46 +1100 (AEDT)
Date: Wed, 02 Apr 2025 15:47:46 +1100
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <Z-zBcmswidWthkvF@chardros.imrryr.org>
References: <582917A1-F936-4A15-AE9D-342076605BE7@sn3rd.com> <f65014ed-9830-46ef-ad9e-4d9813b74f0c@betaapp.fastmail.com> <CAOp4FwRFo7NkbTf9Vi-WgwZrS712WU8kM_kKA3eiAByZey74Mw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAOp4FwRFo7NkbTf9Vi-WgwZrS712WU8kM_kKA3eiAByZey74Mw@mail.gmail.com>
Mail-Followup-To: <tls@ietf.org>
Message-ID-Hash: GTSWKWB5BBKXOYTOKIVTPS6VY5FXCJDV
X-Message-ID-Hash: GTSWKWB5BBKXOYTOKIVTPS6VY5FXCJDV
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SeXinHcVTxN7PPOmYeujxHrygkk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Apr 02, 2025 at 08:07:49AM +0400, Loganaden Velvindron wrote:

> I share the same view as Martin. I also support adoption but we should
> be very careful proceeding forward.

It seems fair to assume at this point that even if/when adopted the
"Recommended" status will be "N".  That aside, the IANA codepoints are
already assigned, and the protocol payloads are obvious (c2s ek, s2c
ciphertext, both from FIPS 203, and by the clear analogy with the
widely used composites).

Implementations are already deployed, though not necessarily enabled in
default configurations.  For example, in OpenSSL 3.5.0 all three
variants are implemented, but none are in the default value of the
supported groups extension:

    $ openssl list -tls1_3 -tls-groups | tr ':' '\n' | grep -i mlkem
    MLKEM512
    MLKEM768
    MLKEM1024
    SecP256r1MLKEM768
    X25519MLKEM768
    SecP384r1MLKEM1024

The default supported groups are:

    "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072"

which means that a client key share is by default sent for
"X25519MLKEM768" and it is chosen by the server (HRR if necessary) when
mutually supported.  A client key share is also sent for "X25519" and it
is otherwise chosen by the server when mutually supported. Otherwise,
"secp256r1" (P-256) is chosen, or else one of the remaining EC groups,
or else either of the FFDHE groups.

Some wordsmithing aside, I don't see that there's much to do here, the
protocol details won't change.  Key in clients reuse will be rare, and
non-catastrophic, interoperable key reuse in servers is not possible.

It won't much difference whether this is published by the WG or the ISE,
except as to who gets to do the wordsmithing.  If the WG would rather
not deal with it, the ISE would likely save the authors a lot of bother.

If the WG would like to tweak security considerations, or otherwise
polish the text, then adoption is the opportunity to do so.

-- 
    Viktor.

v2.30.2 | Report a Bug | By Email | System Status