Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
Thom Wiggers <thom@thomwiggers.nl> Tue, 26 October 2021 15:03 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E28883A126E for <tls@ietfa.amsl.com>; Tue, 26 Oct 2021 08:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.612
X-Spam-Level:
X-Spam-Status: No, score=0.612 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnD8LNId_QX2 for <tls@ietfa.amsl.com>; Tue, 26 Oct 2021 08:03:46 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9BA33A1274 for <tls@ietf.org>; Tue, 26 Oct 2021 08:03:45 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id m184so2112655iof.1 for <tls@ietf.org>; Tue, 26 Oct 2021 08:03:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eMT8qlPeoM2uRpuGDC5EdLuXurn413j0PR440yAiedI=; b=MPc/B/1/eZg8ybWRIsSOJTp90jFQHZbPHCSzqKlOcG2IvJBPhq1z/N66BlkZGJ9EO3 QP+EmY4evw6/mO40/oR+bg+YUgptGiYNzvFJPRjgmClB1yspWDZcxm5PddGG7aq3wQ2Q 0BMg6uQUY6hXETMiszf4BP7GzV54ti5Uq4YCs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eMT8qlPeoM2uRpuGDC5EdLuXurn413j0PR440yAiedI=; b=Ss03yi9oMfdWAQP7ZrnzKgloUxOG+SUDn5atcs+ASVPY60YIKy7LZEPNFAhhXoCZ5M 9mAXDkFEujFhtzJGmFunaR8efWUAIpMYbBGC3mMFbua4uUqp5eid4uIJNCy0mCHNHb/u J3mYsOZBpf3c1jg6FWZi2Oz0ENglI4oyJeC/i8mFUJ32Vlf9TO7QpG/8niTDqDp2fEFt GMva01FaCuhz/L0sCPKaZhzAR98+CXRbaPpAhICHvBovmkrE9siV/tKnJGKwZDEmfRUB 5rXlH/KLVfw1iZAeltEkKhW6uOeXqIFexJ7YYcMU6bPyT1UE9B7am/41MjpxrFwfvr4j yNNw==
X-Gm-Message-State: AOAM533nlbQZK+ZXSABcr29QrdFc2dS3AN/kIUWIK6Ql94HOs5TYohMP vZ72UZ7jlMR+ZHRSLW8agEyHZ9azoMetsh6857gHRMKwdomRAw==
X-Google-Smtp-Source: ABdhPJzIX01XOSbgyUffx/hz86PlZUW/yyEgqQM0hxg3r00ZtZJ1M+5L0lvnP7eof4eHa4pD5kehrrZDLIPzERUk6cw=
X-Received: by 2002:a02:cb9c:: with SMTP id u28mr1137498jap.95.1635260623489; Tue, 26 Oct 2021 08:03:43 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBN4y40o7T3hx4RH3LogbMDEScxGY4SVuCWuQ67oW+XZ3w@mail.gmail.com> <DF9C8D2D-4B2A-414D-AD7A-0ED424CD98FE@gmail.com> <CABcZeBNH4Hg5v99+MmsgTNKD54jvxLRzrj55fCM+m8drxajQKA@mail.gmail.com> <76bf3aa9e18c475590b6fab7c050b851@EX13D01ANC003.ant.amazon.com> <CACsn0c=9uTybFw4Uj4o-xxN4WjtwJcCrH5MUSEyXVHkMmAsOkw@mail.gmail.com> <797d22be046b42a3839850da2b9a1f3e@EX13D01ANC003.ant.amazon.com>
In-Reply-To: <797d22be046b42a3839850da2b9a1f3e@EX13D01ANC003.ant.amazon.com>
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Tue, 26 Oct 2021 17:03:32 +0200
Message-ID: <CABzBS7=qp9fkGb3E_3RKpS7HNnaejrTFpmTu1MO_3g35Ejz=Og@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094271e05cf42c805"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TwTEV0kNRhdInBFOd4OzlgB3j1g>
Subject: Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 15:03:51 -0000
Dear list, This email is in regards to draft-celi-wiggers-tls-authkem. We’ve only made some minor fixes to the authentication-via-KEM proposal that we submitted and presented at the last IETF meeting (IETF111) at the working group. We did receive a few questions and comments on the draft during that presentation and prior to it that we would like to address. We had the impression that those questions were mainly focused on the motivation: the reason for the draft's existence. Because we found there is not really a lot of space for the motivation of certain choices in the text of the draft itself, we instead wrote a document that we call “AuthKEM abridged”. In it, we try to clearly point out our motivations, design choices and provide an intuition of the security model. You can find it at https://claucece.github.io/draft-celi-wiggers-tls-authkem/docs/authkem-abridged.html. We hope that you will find it useful and if there is anything we should add or explain better, please let us know. We touch over questions such as: - Why consider KEMs for authentication? - Why now if post-quantum KEMs or post-quantum signatures aren’t standardized yet? - Discussion about the extra half-round trip that is added Meanwhile, we’ve been putting some cycles towards the formal analysis of the KEMTLS protocol (which should extend to the AuthKEM one) in Tamarin, building on the existing TLS 1.3 model. There’s still a lot to be done, but we hope to be able to back this draft proposal with some machine-checked analysis in the future. Noting here as there seemed to be some confusion around it: KEMs are not compatible with non-interactive key exchange schemes such as draft-ietf-tls-semistatic-dh. At the moment, CSIDH is the only post-quantum scheme compatible with semistatic-DH-like protocols. CSIDH is probably not practical for use in TLS due to it being very slow, and its security level is still the subject of intense debate. Cheers and have a nice IETF 112, Thom Wiggers and Sofía Celi
- [TLS] Comments on draft-celi-wiggers-tls-authkem-… Eric Rescorla
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Douglas Stebila
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Eric Rescorla
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Kampanakis, Panos
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Kampanakis, Panos
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Watson Ladd
- Re: [TLS] [UNVERIFIED SENDER] Re: Comments on dra… Kampanakis, Panos
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Kampanakis, Panos
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Kampanakis, Panos
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Comments on draft-celi-wiggers-tls-auth… Thom Wiggers