[TLS] Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Kris Kwiatkowski <kris@amongbytes.com> Sun, 10 November 2024 12:38 UTC
Return-Path: <kris@amongbytes.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEB88C14F617 for <tls@ietfa.amsl.com>; Sun, 10 Nov 2024 04:38:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amongbytes.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1m_GWjd-3XqC for <tls@ietfa.amsl.com>; Sun, 10 Nov 2024 04:38:42 -0800 (PST)
Received: from 7.mo580.mail-out.ovh.net (7.mo580.mail-out.ovh.net [46.105.48.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131CCC14F604 for <tls@ietf.org>; Sun, 10 Nov 2024 04:38:40 -0800 (PST)
Received: from mxplan8.mail.ovh.net (unknown [10.108.2.13]) by mo580.mail-out.ovh.net (Postfix) with ESMTPS id 4XmXKW2kdcz16SJ for <tls@ietf.org>; Sun, 10 Nov 2024 12:38:39 +0000 (UTC)
Received: from amongbytes.com (37.59.142.105) by mxplan8.mail.ovh.net (172.16.2.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2507.39; Sun, 10 Nov 2024 13:38:39 +0100
Authentication-Results: garm.ovh; auth=pass (GARM-105G0069bac5bc6-2eed-47bd-b003-a7937454396a, 4440684884572CB2DE4C586CFEC0DD51B8B2CA03) smtp.auth=kris@amongbytes.com
X-OVh-ClientIp: 62.30.61.232
Content-Type: multipart/alternative; boundary="------------3Xx792Cfkl075ECbdZtpI0pC"
Message-ID: <8413a5e4-e622-451d-a235-bee4503288bb@amongbytes.com>
Date: Sun, 10 Nov 2024 12:38:38 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: tls@ietf.org
From: Kris Kwiatkowski <kris@amongbytes.com>
X-Ovh-Tracer-GUID: 00730309-229c-447d-a053-f5c4c58b79f8
X-Ovh-Tracer-Id: 12199969919581011735
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddruddtgdegvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurheptgfkffggfgfvhffusegrtderredtvdejnecuhfhrohhmpefmrhhishcumfifihgrthhkohifshhkihcuoehkrhhishesrghmohhnghgshihtvghsrdgtohhmqeenucggtffrrghtthgvrhhnpeduudfhtdelveeufffhjeejgeffteeiueevffeuffetteejffeugeekhfdvtdekkeenucfkphepuddvjedrtddrtddruddpiedvrdeftddriedurddvfedvpdefjedrheelrddugedvrddutdehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehkrhhishesrghmohhnghgshihtvghsrdgtohhmpdhnsggprhgtphhtthhopedupdhrtghpthhtohepthhlshesihgvthhfrdhorhhgpdfovfetjfhoshhtpehmohehkedtmgdpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=qlqdiX6dBzn2roo5B0HNKLANRzwV+h3m5RvPk7208Yc=; c=relaxed/relaxed; d=amongbytes.com; h=From; s=ovhmo2671616-selector1; t=1731242319; v=1; b=oL7INiSNa/pczPinWeDk22UxcsGPmg7qPlyhWALJr8fcHjQta1VCTseIu95NgOD7VQCFPZ5W rgvDwztXKIxh9nZEVPNruKVM8650ioE8/tYx/gYBIKi5mzIYLHdU4+SSaCsiRk2UHCm7tR1f50G GofpTxYXYMYpQklYMBBjZHUuQ2Ml0Ct68IUb8dfE87wvMZrZK8MoAB0xU1o71dMdjFwUTaregvN A/yyysf324LtqfwWtLK5P5We23SZAtru1bWv9ZaZjoKpaVKOFQ2x1p6GxUJTYunuzh1iCeoB1zf AlpanoRBTH0Tz+/RW3Q4he6L3izex/hj0ONQV+Wb6xNRg==
Message-ID-Hash: WPHV6LRTH5YIQ6OERTX2YQMUVSLS6A6X
X-Message-ID-Hash: WPHV6LRTH5YIQ6OERTX2YQMUVSLS6A6X
X-MailFrom: kris@amongbytes.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V5r0rdcr_i7SNqSgKmaJcarXlQE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hello, As discussed during the TLS session at IETF 121, we would like to propose the adoption of draft-kwiatkowski-tls-ecdhe-mlkem. There are a few open questions that need to be addressed: 1. **Alignment of NamedGroup X25519MLKEM768** with the order of shared secrets, as per Section 3.2 of draft-ietf-tls-hybrid-design. - I suggest updating the name to mlkem768_x25519, while keeping the codepoint unchanged (if that is acceptable). If this change is made, I also recommend changing the name of Secp256r1MLKEM768 to align with x25519. 2. **Changing the order of shares in Secp256r1MLKEM768**. - The current order is based on requirements from SP800-56C-r2, and it was chosen to facilitate the migration of the TLSv1.3 handshake in a flow requiring FIPS certification. Although the switched order of shares aligns with FIPS, it necessitates the re-certification of the cryptographic module. The current order supports modules that are already deployed in the field. My (slight) personal preference would be to proceed with adoption but switch the order only if NIST relaxes the requirement regarding the order of shares in SP800-56C-r2, which we know is under discussion. Otherwise, I believe the current choice better supports migration to non-hybrid MLKEM, but I would appreciate feedback on this decision (ideally from others who have a requirement for FIPS). 3. **Setting RECOMMENDED=Y for Secp256r1MLKEM768**. Additionally, we plan to register Secp384r1MLKEM1024, but I believe this should only be done once we reach a consensus regarding point 2. Thank you! -- Kris Kwiatkowski Cryptography Dev
- [TLS] Post-quantum hybrid ECDHE-MLKEM Key Agreeme… Kris Kwiatkowski
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Alicja Kario
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Deirdre Connolly
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Bas Westerbaan
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Deirdre Connolly
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Alicja Kario
- [TLS] Re: [EXT] Re: Post-quantum hybrid ECDHE-MLK… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Andrei Popov
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Loganaden Velvindron
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… John Mattsson
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Salz, Rich
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Kris Kwiatkowski
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Bas Westerbaan
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… David Benjamin
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Kris Kwiatkowski
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Viktor Dukhovni