[TLS] Re: I-D Action: draft-ietf-tls-mlkem-00.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 17 April 2025 07:20 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DD5861D7D3DA for <tls@mail2.ietf.org>; Thu, 17 Apr 2025 00:20:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_fGqbVUwhvf for <tls@mail2.ietf.org>; Thu, 17 Apr 2025 00:20:45 -0700 (PDT)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 019681D7D3C5 for <tls@ietf.org>; Thu, 17 Apr 2025 00:20:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1744874440; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : from; bh=BFi+JYbdLNfLC2yDFR68eccvrytP47vnZbDcRX2c80s=; b=z4BjAwk+0PDZwQLYpcRTELrSpjXjd37DRaKc/nu84ARAIPHO6SbWcqw0H+y/0tBb0QDyP vuDxVexkQFRrh409oWKTY+4WHfoIToODEo4Hvwwwg6PMVnfuhy1X2gqA8xocKd1x9je17DK VGrR1NjahY9cTpSi/i5dpP4wOjzVyj0=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 70B208D0A86; Thu, 17 Apr 2025 17:20:40 +1000 (AEST)
Date: Thu, 17 Apr 2025 17:20:40 +1000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <aACryGebPr_VoGak@chardros.imrryr.org>
References: <174482144256.1417643.12778721014959621161@dt-datatracker-64c5c9b5f9-hz6qg>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <174482144256.1417643.12778721014959621161@dt-datatracker-64c5c9b5f9-hz6qg>
Mail-Followup-To: <tls@ietf.org>
Message-ID-Hash: OQRFTISVNFW3K6TWPI3A4JGQ4OKMKDFK
X-Message-ID-Hash: OQRFTISVNFW3K6TWPI3A4JGQ4OKMKDFK
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: I-D Action: draft-ietf-tls-mlkem-00.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TydxfWO4-eUFXQOsuynvgvpjvhI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Wed, Apr 16, 2025 at 09:37:22AM -0700, internet-drafts@ietf.org wrote: > Internet-Draft draft-ietf-tls-mlkem-00.txt is now available. It is a work item > of the Transport Layer Security (TLS) WG of the IETF. > > Title: ML-KEM Post-Quantum Key Agreement for TLS 1.3 > Author: Deirdre Connolly > Name: draft-ietf-tls-mlkem-00.txt > Pages: 11 > Dates: 2025-04-16 Thanks for posting the draft. Initial review comments: Section 3. Key encapsulation mechanisms ---------- The text feels somewhat clumsy, and it is not clear that framing the steps as algorithms/APIs is helpful. APIs vary, and I don't believe that the details matter here. Original: This document models key agreement as key encapsulation mechanisms (KEMs), which consist of three algorithms: ... Suggested: Obtaining a shared secret via Key Encapsulation Mechanism (KEM) entails three logical steps: * Key Generation: Alice generates a public encapsulation key ek and a secret decapsulation key dk. The encapsulation key ek is sent to Bob. * Encapsulation: Bob uses Alice's public encapsulation key ek to obtain a shared secret and a ciphertext ct to send to Alice that enables the holder (Alice) of the decapsulation key dk to obtain the same shared secret. * Decapsulation: Alice uses the ciphertext ct and her private decapsulation key dk to obtain the same shared secret as Bob. The text then goes on to describe the three paramer sets, but I don't see that the private key sizes and seed vs. expaneded forms are relevant in TLS. It probably makes sense to say little about the private keys. Original: ML-KEM-512, ML-KEM-768 and ML-KEM-1024 conform to this API: ... Sugested: FIPS 203 specifies three ML-KEM parameters sets: * ML-KEM-512 has encapsulation keys of size 800 bytes, ciphertext size of 768 bytes, and shared secrets of size 32 bytes * ML-KEM-768 has encapsulation keys of size 1184 bytes, ciphertext size of 1088 bytes, and shared secrets of size 32 bytes * ML-KEM-1024 has encapsulation keys of size 1568 bytes, ciphertext size of 1568 bytes, and shared secrets of size 32 bytes Section 4. Construction ---------- Original: We define the KEMs as NamedGroups, sent in the supported_groups extension. Suggested: Each of the three ML-KEM parameter sets is assigned its own NameGroup codepoint, for use with the supported_groups TLS extension. Section 4.1. Negotiation ------------ Original: Each method is its own solely post-quantum key agreement method, which are assigned their own identifiers, registered by IANA in the TLS Supported Groups registry: Suggested: This document extends NamedGroup (Section 4.2.7 of RFC8446) with three additional values, to be added to the IANA TLS Supported Groups registry: Section 4.2. Transmitting encapsulation keys and ciphertexts ------------- The first sentence seems redundant: The encapsulation key and ciphertext values are directly encoded with fixed lengths as in [FIPS203]; the representation and length of elements MUST be fixed once the algorithm is fixed. TLS encodes the length of the keyshare, and once its content is specified below that text, there is nothing useful normative to say about fixed lengths, ... that MUST adds nothing IMNSHO. Just deleting that sentence I think improves the section. The text that matters is basically fine, but should of course match any changes in the Section 3 text, so perhaps: Original: For the client's share, the key_exchange value contains the pk output of the corresponding KEM NamedGroup's KeyGen algorithm. Suggested: For the client's share, the key_exchange value contains the encapsulation key ek generated by the client as described in Section 3 in the format specified in FIPS 203 for the associated parameter set (800 bytes for ML-KEM-512, ...). Original: For the server's share, the key_exchange value contains the ct output of the corresponding KEM NamedGroup's Encaps algorithm. Suggested: For the server's share, the key_exchange value contains the encapsulation ciphertext ct computed by the server as described in Section 3 in form the format specified in FIPS 203 for the associated parameter set (768 bytes for ML-KEM-512, ...). Is section 6.1 (Fixed Lengths) needed? Given this is not an issue for ML-KEM, it is unclear why this is worthy of discussion. Similarly, it is unclear that most of 6.2 is useful. ML-KEM satisfies IND-CCA2. If the intent is to discourage key reuse despite the fact that ML-KEM is believed to satisfy IND-CCA2, then a brief not just to that effect may be sufficient. And along the same lines, I don't see much point in section 6.3. Security considerations might instead mention concerns that ML-KEM is a comparatively new algorithm, and a hybrid construction might defend against the risk that as yet unknown attacks might render pure ML-KEM insecure, compromising past traffic even before CrQCs may turn up. Concerned users might therefore want to use or prefer a hybrid. -- Viktor.
- [TLS] I-D Action: draft-ietf-tls-mlkem-00.txt internet-drafts
- [TLS] Re: I-D Action: draft-ietf-tls-mlkem-00.txt Loganaden Velvindron
- [TLS] Re: I-D Action: draft-ietf-tls-mlkem-00.txt Eric Rescorla
- [TLS] Re: [EXT] Re: I-D Action: draft-ietf-tls-ml… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: I-D Action: draft-ietf-tls-ml… Paul Wouters
- [TLS] Re: [EXT] Re: I-D Action: draft-ietf-tls-ml… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: I-D Action: draft-ietf-tls-mlkem-00.txt Viktor Dukhovni