IETF Logo Mail Archive

[TLS] Re: [EXT] Re: ML-DSA in TLS

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 28 November 2024 17:18 UTC

Return-Path: <prvs=406248a460=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC24FC1D4A82 for <tls@ietfa.amsl.com>; Thu, 28 Nov 2024 09:18:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQ74HnO3ecpj for <tls@ietfa.amsl.com>; Thu, 28 Nov 2024 09:18:13 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) by ietfa.amsl.com (Postfix) with ESMTP id 668A0C180B72 for <tls@ietf.org>; Thu, 28 Nov 2024 09:18:12 -0800 (PST)
Received: from LLEX2019-03.mitll.ad.local (llex2019-03.mitll.ad.local [172.25.4.99] (may be forged)) by MX3.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 4ASHG1ZD146650 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 28 Nov 2024 12:16:05 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=veHDnOd1oql4BRj7BDyWb1ma/LLYP+Ts1cDWoMlFDPzOAczAYcr6xKYpzDNKOZxk6PzfZWxh9ANAdEnGDN3DrkLw6qIpNv4WcxEWzr04Xx4cLsUgvyAt2K8VHSbiGOafT7kISRAs6uy5J8tfJ66j1qxxWu0bSv5Z3YeH5XpWwbx09mwOKchDl3ljq1XNvhe8EWxCB2PWMSMt8OQtT5ad0bkVb0BICqB5oWQzLtqVJWdjnw/D4uO1ee3YPh2p+okIru9eYlA0IfnFwuj92fgVnWrM9rv1y+xY3R84M/MSjxy1uCKPL8vxZz+4LsT8pYXwvMsTFhfhiL7vjGFWY2M5Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mX0DHx70Csd+8o3aDh/HIekzk42juJiZODNw1SkfzKM=; b=GAQg+gw1wq8Uf3A1v/eTqJOTuFY3Ic+8eedMF8BUCZ8Iaw3wFLzSSaIAPcLGBoMvEF3Y0q82XFVmCFdGuMCjDcn/Ag+jdmYyAzP5y2y+97LHemRnPge1JTgjJLlsEih8xiWjkZOoHRVZcxhFg9pXb7SISiNyyOSMyciFAY7yz2gYfILs8tf2DwMIRJoTW6nuLS6Jtri+kznocSaoeqwpQDbhQ4kowVBQ0RR70cVqEGmvWP0aau25RRCKMqUXolSMjYvHbG2emCStm6iljeVmPChuMRn6Vd83Dy/xzlEqOW7MkBNqlQPD+FP6XjUogA/kamESJh34snEwhmkUs+g07g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: tirumal reddy <kondtir@gmail.com>
Thread-Topic: [TLS] Re: [EXT] Re: ML-DSA in TLS
Thread-Index: AQHbPFaFDvdNSwGEEUy91G+79jFaGbLCSB+QgAGGNYCAAqmYFYAAHusAgAACEzKAADFIAIAAbGUMgAUgoACAAJNKNA==
Date: Thu, 28 Nov 2024 17:16:31 +0000
Message-ID: <BN0P110MB1419ECE0F462E249E76950399029A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <BN0P110MB141956A14F67C282A3F0F86E902DA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <20241124184822.743413.qmail@cr.yp.to> <BN0P110MB1419E2DA7237A5AAFB699897902EA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <CAFpG3gc3tVryq9+WTqp_kz5o2r1-XFq9uQwM5Or0OZMmDWsL=w@mail.gmail.com>
In-Reply-To: <CAFpG3gc3tVryq9+WTqp_kz5o2r1-XFq9uQwM5Or0OZMmDWsL=w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN0P110MB2145:EE_
x-ms-office365-filtering-correlation-id: 5b6d3c46-fe08-43f0-ebd4-08dd0fd0672c
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|8096899003|38070700018;
x-microsoft-antispam-message-info: ShFgocosbQZLZNcv8xhHSmrUBlb1KqZk6Q9hJ1UzcH6hUMXJp+xu9yX3Ifkdj5bgtqToOASg7y5R6r6T2FS+8ZdaSWqFKysaTXUFIp9iOpI/i6uWqGVZLXsy53P98ng1nofqr7vp5TvKqI1UO7fKtD3lG3mb1C1dZZZjRYGonB08bYi6WSvNVAZR6fe3ciR5DjJ9IpXObvXwZfh0lj8XjnHR25HF2AW3ZyY6qQ8Fcd2hSeSOD4L2ZyV1eFVQyZr+IZe2WLqk0bogLU+HDDBLPxVlQiZGUuI7zmvZRAp2Y2BMLLvk5CYf3n81sajePrgATypXc0DcK4GlRLviwoliYaWr1v61P3JoyYsLuyqING8l9un6o3xGXLdrjqxOE6NeD8+cb4CB55mGdtOwYj6sJITExLBmwkk4oj8iESuRgowcYV+vrLDEcwd6b2R0+OsphpG28TIA3t2oqgL8HQCeTfwx1ghY3wQnYus2JY5pQ0TadHHo4jK9Ngf4qU/Ytdebt+7zLs8LGR644qHtjEYpwOt9ZwMYKr6bQruPwesvOqq8usgutG4biPRj7VNp/QuPMBeYPxZSzpEDa6yof6zbC/la/Wm6XNLMKaxhIJtaeXGS4ssNklj6HwoApHu5DJVojGdKoxnYGRrahFuSicv7FEuVLmSk4Dq/lsBvLHKmdBrObxKkqalBdLfMu/W0hU3KtYqeEjTQrlOJVkxBhUDAzdpW1tpnoTzmSyAuJunX/mrUiLWPJUKyZ4ny9DoTiOyP66DptD//KZfgvCpxHv9dTIlcPU5Tb5srS7r1JxVYr2+agd5c2SP5/+zk6mVuCyG6B54En/g/BuLWEHRjBAFZ+E/NajOFFnJPdNauXIxSSyg3CmTw+2JTBirbdJEl3TVxsX997oBrH3fFAPQFGKLovTJZYQJIORlj0J0W1HWM+hGML7NjlDNvlimbv/qVktXMYYEy3L4MH3+DfWABfjRPPe184YgORdv69q7zVJGlRJthgwD1j4BqF6gTt/kVZfUbblue7VFO/Uc1Yg0HkgFE9pj5boqKYaGQkfmRAarSE+/Rlauc4nbo3tvTskKU6ihD670N5dV9ldy2uyHu7a42xvWOITlxHl/z1oPHlFWSPE/+1PDejlxnNcfYF2jju8sNof3Q+cJ71OwADANUVFX5Dt8aGgBzn1Eh+dtCW1tSn/ITqrmrLZqU1+Lyd+e8vUPTbLWKWU6vf6dTGiKZ8ILFHXDEyVnSzHDD/2uwOjQHEdXCwjlmD6njJ5NJ4qBo7VpyiXcrWY+WE2QoW6ZLPTrrT5gKAy8ZXP152pAZ7Qf0ZXg2N0QWb1spxn2NJijQ+cXAo0uvrLp7nUdTV3YcJriap1GFDiLA2EqWFqEM/ZCr/BU=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QQKkKs6nRo2CTdCXgH36ynaG31SURWyRJAgFYd1QVl5h0TT9gQFma7kA+FmkB/9+tDZN/+eczHgToaf/vbvkQJhx7fkWytAovMLAnlh70S9tajnAzO0mv/4zVP2nKEY3hyvam691LaAni2MvDh7W//rZu9f1TmMsb8SI8J2zM/2YEAb0ZfDls1Xvj4XIw16nVuQwtuRhDHS6GWOrWqgnKl+JF3VdVtNzL+ZB13yzgvkZLyxFdVJZuwIsttuIUvb6FIZJpSQCKSyuZTA7e+3FXrHHqEmmYk3P3xQj/xVqa9Jms+c1D/IKkRxzMli9BQ1WgAN78C10CCvrRpgdV1aQFVFdBmCR3G+kJfGMVGlxNHqqgyxr5n9xR9HAKaLuSCCE8LxDLXoCBXKlzIL3xahatn3xk9oUPDhpQXJCWanBUazuP4LhsU4lI9oPL2RuH1d9L4V1de6h3gENNoxuutnZMCN7erMh8W4f8cjdxQbvPgOrP9M5mE/EnZKsnMsmjXCyiIixL8r4WTY5hNXUTSdDC1jMVmQE6XKz8cw9d74G3t/W7bOkTkCjvn7Iw8aPdsfhNXpmvumDVHHCiD5vYomqjLoNGcPmSjnJAxtNBdDAEoyh0HhcxkdnCtFKj5q64hodREUkVSx9qNaZA/5cYjgQdA2J6rItYhz1f2OrgRLmpy6aSR6yWwx3hbOV9h7seoE5YCjv25G9+9dMqbTSa6jiVLC1cmeXZYVLv16tg1gItY3Ijw7nlfxXa98LqOdSPLm9nUmykotck8XEoOzVJ2d6p++X/WwXFmzwMN+8P0Z5P5JizXOWPQcq90P1jfGxZO9hgSRCwbZ1tBK1vWtXv8Uw9dZsyjjMmXL/ojviJ8KR0X6Z4/F8hWBVD2Bb818aK6LM+4M2TwzUUk1K1n1KZR9nRBv5TRnJQ1snlRXZUH9zZssA3X73k0g3IjBVWDQATs4LqsY82WThTvtFp8IGlgwh5ZkWirFc/sqs1zCS7rNZaxh8gV+iuvB4n2B+dpOL751LUGMhoNDbi2l4SY1urpnMx7SuQg8hvVeIeMztbw+AbgzSZumCXX9JvR7629oxn2mXSAu5aKHWmwSMPJE5tbyw0cvAIUNGJEtGZ3xzNINqtV6VKMcSxK+PWMuAdKG+J0RP2ddMsWhuHrqLbyfSFrSCe/8LZeI1Z6HERuwYSSS6BBGuzqswVtSe2yzhLWr+DglTIBfrJhn6bHfW/ilq2IUQj9UJXtUUoHiiC4ITbTZZA45PJto5QU1huMoDijgGbY+MV9GEoFchzbRUqi8Fu3iNPhJ7W5BQfyb+Zn6a/8nR86H3A9II6rAEProfYRVeiLYgInRt+6e3mcnDWywgCuB6BFZY/Sb2MfnqIqgVSH7gozR1/N/GwKDl9+7aWEtK86a8BTZAHDPaqLjJPKK+/EgpBx4AI4mrjkKwzUEclryLQFN79oPe8iBya9EtrXn5/RBgL6iqBD3EcmIVIW+8fnlm6ovBcZI96gWeVxbPAjom3p/lluYsflYorso6GlYV9v2r
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_A343726D-A92E-B34E-BD58-0280A704A2BE_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b6d3c46-fe08-43f0-ebd4-08dd0fd0672c
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2024 17:16:31.4823 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB2145
X-Proofpoint-ORIG-GUID: ngoMVMonYk72RkImUzrA7MnDyxNz2lv_
X-Proofpoint-GUID: ngoMVMonYk72RkImUzrA7MnDyxNz2lv_
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-11-28_16,2024-11-28_01,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 mlxscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2411120000 definitions=main-2411280136
Message-ID-Hash: V436LKK6OE2TNQ4VTMTRTVXIMJO2Z7E4
X-Message-ID-Hash: V436LKK6OE2TNQ4VTMTRTVXIMJO2Z7E4
X-MailFrom: prvs=406248a460=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "D. J. Bernstein" <djb@cr.yp.to>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_eBpFGEtqahLUuT1hsZxFGrSA4A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> To clarify, are you continuing to claim that there's "no damage possible
> (at least, in the TLS context) caused by PQ DSA break", despite the
> facts that (1) upgrades often take a long time and (2) attackers aren't
> going to announce their secret attacks? 
For (1) I call it not an “upgrade” (i.e., to something new and often untested yet), but a “downgrade” – reverting to the “old mature and well-tested ECC code”. Shouldn’t take long at all. 
For (2) – why do you assume there are no secret attacks against ECC? Merely because you couldn’t find one, and nobody announced it yet? 
>> then don’t move to PQ DSA until either CRQC is announced
>
> That would be too late. It completely fails to address the large risk of
> quantum attacks happening before the first public attack demos, plus it
> leaves users vulnerable during the upgrade period. 
You don’t really need PQ DSA until CRQC is here. At this point, everybody seems to agree that there is time before CRQC arrives. So, keep studying/exploring/attacking PQ DSA, and prepare code and infrastructure to deploy it – but use ECC for now. . . . . 







The deployment timeline for new algorithms and standards is lengthy. 

Of course. But we aren’t talking about new algorithms here! Unless you consider ECC and/or RSA that have been in the deployed codebases for ages now – new? 

I’m repeating my points: 

* Hybrid only make any sense for one scenario: CRQC is not available, and PQ algorithm used is broken via Classic attack. In all the other possibilities Hybrid is useless from the security point of view, and only adds unnecessary burden. 
* Thus, if/when CTQC arrives – ECC (or any other Classic algorithm) become useless, regardless of whether the PQ part is or is not broken. 
* Until CRQC arrives – one can safely use ECC (or other trusted Classic algorithm) for TLS signatures, and keep experimenting with and studying PQ algorithms to one’s heart’s content. 

Moreover, it may not always be feasible to easily tweak configurations to enable/disable algorithms dynamically when CRQCs become publicly known. We would like to also consider the potential impact of zero-day vulnerabilities, where exploits are discovered and used before vulnerabilities are publicly disclosed. Proactive preparation and deployment of hybrid signature schemes reduces the risk of being caught unprepared in such deployments. 

When CRQC existence becomes known – hybrids would have no place anyway. At that point tweaking is useless. Then, either your PQ algorithm is strong, or it is broken. If it is broken – you’re dead, regardless. If it is strong – the fact that you carried (e.g.,) an ECC signature along the PQ one, was just a waste. 

As for PQ algorithms maturity (“but can we ‘really trust’ PQ? What if…?”) – let’s look back at, say, ECC: 

* 1985 - invented (I probably still have the original paper by Victor Miller, then at IBM Research) 
* 1998 – IEEE P1363 standard 
* 1999 – NSA Suite B 
* 2012 – TLS includes ECC (note that a big holding-back factor was legal: Certicom held ECC patents, so many people wanted to wait until they expire in 2015 before actually deploying ECC-using commercial code) 
* 2015 – dominance 

And now compare this with, e.g., Lattice-based crypto: 

* 1950s – mathematical study of Lattices 
* 1982 – Lenstra’s LLL algorithm to approximate lattice basis reduction 
* 1996 – NTRU concept by Hoffstein, Pipher, and Silverman 
* 1997 – proposal by Ajtai for Lattice-based PK encryption scheme 
* 2001 – NTRU cryptosystem formalized 
* 2005 – new hardness assumptions (Oded Regev), LWE 
* 2010s – Ring-LWE 
* 2022 – NSA CNSA-2.0 
* 2024 – NIST standards 

Looking at the above time-scale, Lattice-based crypto appears to be roughly where ECC was when the crypto-world decided “we’ve studied enough, it is reasonably safe now to rely on ECC”. How long until you decide “yes, we’ve studied RLWE enough to place our bet on it”?

v2.46.0 | Report a Bug | By Email | System Status