[TLS] A suggestion for handling large key shares

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 19 March 2024 04:47 UTC

IronPort-PHdr: A9a23:4PUoxhVYo5LEOJkiBpinW9T/1V7V8K02AWYlg6HPw5pUeailupP6M 1OavLNmjUTCWsPQ7PcXw+bVsqW1QWUb+t7Bq3ENdpVQSgUIwdsbhQ0uAcOJSAX7IffmYjZ8H ZFqX15+9Hb9Ok9QS47lf1OHmnSp9nYJHwnncw98J+D7AInX2t+50/2y4ZDJSw5JnzG6J7h1K Ub+oQDYrMJDmYJ5Me5x0k7Tr3lFcPgeyWJzcFSUmRu9rsvl9594+CMWsPUkn/M=
IronPort-Data: A9a23:i2qI4aAy8MI5bRVW/1vjw5YqxClBgxIJ4kV8jS/XYbTApGgqgzUGm GQaCmuEbKqLY2L0L9FzPIuwoUgGv5fTzYNmOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4SGdIZsCCaE+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357hXGthh fuo+5eDYAT8i2YuWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxMUlaENQ4ZW7 86apF2I1juxEyUFU7tJoZ6nGqE+eYM+CCDV4pZgtwdOtTAZzsA6+v5T2PPx8i67gR3R9zx64 I0lWZBd1W7FM4WU8NnxXSW0HAlnIqNc/rDNH0SUqO7CkFP5V1Lo7f9xWRRe0Y0woo6bAElU/ vAebTsKdB3G26S9wamwTa9ngcFLwMvDZdxE/Co/i2CCS697HPgvQI2SjTNc9Cw+gt1OB/vET 8EYcjFoKh/HZnWjP39NU8hlxLb43yeXnztwq3u8nPZwuG7q1x0gk6H0E4PfRoCEbJAA9qqfj jmbpzuiWE5y2Mak4SaB6Vqti/PB2yThV+ov+KaQ7PVmhhiYwXYeTUFQXlqgqv7/gUm7Mz5CF 6AK0jMxo7I0+0aVcvLkfUznvkGglxoyUcUFRoXW9zqx4qbT5g+YAE0NQThAdMEquacKqdoCi AXhczTBW2YHjVGFdU9x4It4ut9bBMT4BXUJaSlBRgwf7py/5ooylRnICN1kFcZZb+EZ+xmun VhmTwBn293/aPLnMY3gojgrZBr3+/D0ovYdvFm/Y45cxloRiHSZT4Kp80PHyv1LMZyUSFKM1 FBdxJHGs7BQU87QyXDSKAnoIF1Pz6vUWNE7qQM/d6TNCxzwk5JeVdkJv2EgfhsB3jgsJmO0C KMshe+hzMQOZCTxN/Afj3OZAMUxxq+oDsX+Sv3RdZJPZJM3HDJrDwkwDXN8K1vFyRB2+YlmY M/zWZ/1XR4yV/89pBLoHLh17FPe7n1krY8lbcqln03PPHv3TCP9dIrpx3PVNrxjvfnZ+VmJm zudXuPToyhivCTFSnC/2aYYLEsBKj4wApWeliCdXrfrztZOcI35N8Ls/A==
IronPort-HdrOrdr: A9a23:Ut2BEamjAE8X2oWdf48Mrer851/pDfOKimdD5ihNYBxZY6Wkfp +V7ZcmPE7P6Ar5BktApTnZAtj9fZq9z/JICPoqTMiftWjdySCVxeRZnOnfKlLbalfDH4JmpM BdmstFeZfN5DpB/LvHCWCDer5KrqjjgcSVbIzlvg5QpHRRGtpdBnBCe36m+yNNNW97LKt8Pq CxouBAoD2tc2kWaMOUOlkpNtKom/T70LjdTVojHRAI1Cmi5AnE1Ff9KXel9yZbdwkK7aYp8G DDnQC8zL6kqeuHxhjV0HKWx4hKmfP6o+EzSPCku4wwEHHBmwyobINuV/mppzYuutyi714sjZ 3lvwogBcJu8HncF1vF7icFmjOQngrG2UWSiWNwskGT4vARgwhKSfapsLgpMycxLXBQ+e2Unp g7m15x/KAncy8o1B6NluQgESsa23ZdZREZ4KguZ7s1a/pYVJZB6YMY509bC5EGAWbz750mCv BnCIXG6O9Rak7yVQGugoBD+q3ZYp0IJGbwfmES/siOlzRGlnFwyEUVgMQZg3cb7Zo4D51J/f 7NPKhknKxHCpZ+V9M0OM4RBc+sTmDdSxPFN2yfZVzhCaEcInrI75r6+q886u2mcIEBiJEyhJ PCWlVFsnNaQTOmNeSemJlQthzdSmS0WjrgjslY+phio7X5AKHmNCWSIWpe5vdIY89vcPEzAc zDSK6+K8WTXlfTJQ==
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: A suggestion for handling large key shares
Thread-Index: Adp5tZo8ZNeXKme6SCu2R7NgBj+X7g==
Date: Tue, 19 Mar 2024 04:47:20 +0000
Message-ID: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wbXHLbdP6TkBnbcnYLvUXH4VNBSV0z8pNT7hN35c1MRwKE/EExJtRoc8xJ/Bhcd4HAeSEW5txrnlynzq/q2iSim8LKuPW3hwABap3lthDCrAW5jHB6sqc8O9TW0PkOwHAKNBVSYMQU49WuHkiypQKREWRHhkKzMsUqxACRbrP81Kdsao6fJUDRda7shamOvzLG0esbzRCNSuTztkUopStF0hUnul0hsHwZpEzeu3BldLLf1yCLyJfoznUdfYRlBTHJLaQ5RwTA1wLYJnU3a6uIz7qn80fUDZvagJGYCngHouM3kUJiDpB5wrT/VxY2TVzPm7z/wOlAf+/J0/lCvw9IyUPlvOuzCY5EtioE0GhxYbmE1ngpxTfXra+8NScjnFyAvOvJfs+L+IHxxmloXRxJkaPQ79VXx3EMBKwTSN3RWa+gOJ6h5wmHC5h1RTakPXeNIuUtCKCbcay5Kx7YzLpP10ZWlEtwn+GuQt2fbomTrbhbt5AFjJRfh7StGlMAPqxo3gaIHbu01XICx3b4rK2JSWMEFj5mfLLC6XX8de0/Da4T3ebmwygFN3TMiiEIGfgKNXT5qwchBzY0sLsCMYU+cyjAGWgHIOWbomupCVAJUSFLoRU1fE/mGlcMdw72IcTgUDjhsZoX0eweR0QxFtp6h/n+9sWDp445vg9m0cFKrgZWZ2bm9R+sLgyIyLaWt1VW/9r/7Fi/3Xt0qR64hOUscDxdxHe7tIDztoFNzH/JRPJzOQggTVhu7OMm8Sn39zGJMWTdl4VCduq2VzNp5dMe954m8YqIhSg/N1QIl6YgALemBTYkF0Lh+UnA/XVc1ka3vWyhhyFGydkszcm+Yg6ApZM75AYOuebQu4WuR2dCUTHLsxyE708T1CyEiWsWHZpVjYPQ9L+VN607Wn/mJF06Xi4Pomke+k4cYRDyih7IrpOo3Srbm9KkUAr3MhhQutfVVepINEDVgHrk7w7DuS5IsV1N2H5DyGnAgeAG3RSFqyhfcKPU0RhUySwdDrL17wZ5R75IfxMD44PD2p4vAUHBB1LAq707qsC5Eq+uxpevIZS4aTdhrFI3ArmjiajLomKsEUYBwx/0xsss7wULJmsTYb41cWL3H+7rOjJud7XQMn8orHnz+SdbcssOZrhLhpudvbfKh136oBZkad4SkPQkkRh5+E3pp2NkJG2EEoB0chj2ljxN+gRBakNJY8NdH8vOiGrwt2L/p9/VZhuzG9PV16/xkA4/wwtE1hZ2zSDyEh1az3IamophdvCCkT0BMSs2CHCAHtS68UyIcOAx9xHA72jD3U0km8vKbXKhni+zno/SMXmJgaqxCt7KvmKErrmjKYYTUSeFaGFZH67qSY8ieEGUBZCg9BQSX3DNnjnwFhOdAWVrOc65Ukg6objX5DUwdXWZjXajFzWUHFw9OSd305/pSHJBjMCgeWDR12bBWqyxai7WXvpnPJ5S0PgHo+tqucZnBPQkaWiXO0lMWVg84HloGHpVcvrb0Wo05bxV5RQh3mA6/rW0fkCCmlw8tH4fxdGAWWFhk0z3RVL9jPncnsJLswTwzNvRsjnTTbXMcbatKedUvg2XK2s8SIC3fWB+DmEnN0j9mppbhWeroU33q8YzfXbLuJvT/lIHGt38w=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB544488B051C041EB32541AB6C12C2CH0PR11MB5444namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5444.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f51d22e1-744d-41e2-e9d7-08dc47cfa9a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2024 04:47:20.9646 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TZ3/GRT0FGeCtVZDw1hyo4YSrwouYf8vb3c1kRa8vCE9VE9FbS8sMH/slR3zStICp5yP2G94A5dEO5wCYW97PQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB7319
X-Outbound-SMTP-Client: 72.163.7.162, rcdn-opgw-1.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZzRlUMRq125CXT9WFOmUjrQUrwo>
Subject: [TLS] A suggestion for handling large key shares
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 04:47:27 -0000

Recently, Matt Campagna emailed the hybrid KEM group (Douglas, Shay and me) about a suggestion about one way to potentially improve the performance (in the 'the server hasn't upgraded yet' case), and asked if we should add that suggestion to our draft. It occurs to me that this suggestion is equally applicable to the pure ML-KEM draft (and future PQ drafts as well); hence putting it in our draft might not be the right spot.

Here's the core idea (Matt's original scenario was more complicated):

* Suppose we have a client that supports both P-256 and P256+ML-KEM. What the client does is send a key share for P-256, and also indicate support for P256+ML-KEM. Because we're including only the P256 key share, the client hello is short
* If the server supports only P256, it accepts it, and life goes on as normal.
* If the server supports P256+ML-KEM, what Matt suggested is that, instead of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM. We then continue as expected and end up negotiating things in 2 round trips.

Hence, the non-upgraded scenario has no performance hit; the upgraded scenario does (because of the second round trip), but we're transmitting more data anyways (and the client could, if it communicates with the server again, lead off with the proposal that was accepted last time).

Matt's suggestion was that this should be a SHOULD in our draft.

My questions to you: a) do you agree with this suggestion, and b) if so, where should this SHOULD live? Should it be in our draft? The ML-KEM draft as well (assuming there is one, and it's not just a codepoint assignment)? Another RFC about how to handle large key shares in general (sounds like overkill to me, unless we have other things to put in that RFC)?

Thank you.

[TLS] A suggestion for handling large key shares Scott Fluhrer (sfluhrer)
Re: [TLS] A suggestion for handling large key sha… David Benjamin
Re: [TLS] A suggestion for handling large key sha… tirumal reddy
Re: [TLS] A suggestion for handling large key sha… Bas Westerbaan
Re: [TLS] A suggestion for handling large key sha… Kampanakis, Panos
Re: [TLS] A suggestion for handling large key sha… Rob Sayre
Re: [TLS] A suggestion for handling large key sha… David Benjamin
Re: [TLS] A suggestion for handling large key sha… Kampanakis, Panos