[TLS] Re: [EXTERNAL] Re: Planned changes to Cloudflare's post-quantum deployment

David Benjamin <davidben@chromium.org> Tue, 10 September 2024 21:01 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024ADC1CAF4C for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 14:01:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.405
X-Spam-Level:
X-Spam-Status: No, score=-9.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tONNK1uIMTLl for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 14:01:30 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6E2DC1D4A92 for <tls@ietf.org>; Tue, 10 Sep 2024 14:01:29 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-53661a131b4so4350988e87.1 for <tls@ietf.org>; Tue, 10 Sep 2024 14:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1726002088; x=1726606888; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DR/j2flXYPE5oEv86D8j7ivnWrsViRxCuJQpet3pnbA=; b=ZvJccwwmuN2F0zkKK+EXs8ONa8WKmyGzSP8kS/8RQpAKdwt5P9bQ2TOUy08Ho+utDd yGcl9SPdKYsKjL6nquFNrAMfOpJYknbcpu+vEFuS25v3ZYInfDsFcffuS+CMR7TUEpvF nJ365+PoYqaDQHuU1LUIGFixPapgOfwgvnjio=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726002088; x=1726606888; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DR/j2flXYPE5oEv86D8j7ivnWrsViRxCuJQpet3pnbA=; b=CJES16HU3/fFyaG7noyvuvF9c+B2w15gvMXffh/BSzQrfytAjIdBsMFYQaCy5c2ogx M8GzjAo3/LM3muoJ5AyEmcXVSrjVNLlxA6oC0zc5JG6yZ/NNPRXghHvagkTZ84tRFxdc 1tBmTg0A7NGyWlHEDmo5SI32NXNYbk1VbVzD8aWeNzPoD4kptxF6zNjt4ddbQH8+zaZn KE2vZUDSA0k/QaXpvb5qLfwmWzOIL9dDhXP8P4p26KxleZ3YTCLJdW3uOLmAoW7m+CY5 pLTqMyFhd6dId1TRs4ZOnn/DmGIzW0D1/uBM5kjGB3b6lw7FGV9rS2GKYeMr520WlvLJ 6LKA==
X-Forwarded-Encrypted: i=1; AJvYcCUjwQ/FmJsWUhW0WnI+3VueT8V023t2RvA7PZmKqHv130KLbxeb0z+OFigAqhbmK2brgT0=@ietf.org
X-Gm-Message-State: AOJu0YwwkLK7vbxOzooIr7iTvfUDphN33UtoRneC/i8mWCxziiuwlp4h DKmyuQ+lqBnDFavqwi9A9PNOfBPc2ftAhNnYOjVOmf1SVcM47P2SDa2Z+VMlqlBDAIs8vp+FPTN AtGHq4pzHWf7Td9BgI1r4eA1LgELR1Jb09QZ6um/RANl7C2dzOYI=
X-Google-Smtp-Source: AGHT+IGWT8jOimnBp8EUPZQdoaQPK+b+1dcWOMxyvdPAXVnUexMPq+oavrn4duDjSWnLgQstuM/23V8Pt246k1DEinw=
X-Received: by 2002:a05:6512:ac8:b0:52e:9e70:d068 with SMTP id 2adb3069b0e04-536587a7aaemr10619029e87.4.1726002087463; Tue, 10 Sep 2024 14:01:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAMjbhoW9wH4=kG82tgzaDfw6QHoiMy3HSh_RkVBT9o-6a9Q1rg@mail.gmail.com> <CAF8qwaAtbJMkNZjp4AHJZtx0BAvQN5=zv-npZ-2M7BEHnRE+Qw@mail.gmail.com> <DS7PR21MB3716A20F1DAF5941371A8CBB8C9A2@DS7PR21MB3716.namprd21.prod.outlook.com>
In-Reply-To: <DS7PR21MB3716A20F1DAF5941371A8CBB8C9A2@DS7PR21MB3716.namprd21.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 10 Sep 2024 17:01:10 -0400
Message-ID: <CAF8qwaCuvtUt5p6VvkOOcAhx3eHUAtB8LJwEcwZxQkpXk3sX1A@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="0000000000004e79ad0621ca2da5"
Message-ID-Hash: QKB6DWEO3WR66GHHSPAAMU5MZS72BATV
X-Message-ID-Hash: QKB6DWEO3WR66GHHSPAAMU5MZS72BATV
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Re: Planned changes to Cloudflare's post-quantum deployment
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_w4CGxjbFzjiz7QTET6O-UVVQXE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Yup, we plan to offer it in the initial ClientHello. (We currently offer
X25519Kyber768Draft00 in the initial ClientHello, so X25519MLKEM768 would
just take its place.)

Of course, it is still the server's responsibility to correctly evaluate
ClientHellos where X25519MLKEM768 appears in supported_groups and not
key_shares, if the servers aim to reliably pick a PQ option. This matches
the WG discussion around draft-ietf-tls-key-share-prediction and
downgrades. But given we've already deployed Kyber to Chrome on desktop, I
happily don't currently anticipate needing to send such a ClientHello in
Chrome for compatibility purposes. Then there's
draft-ietf-tls-key-share-prediction itself, which interacts with this.

On Tue, Sep 10, 2024 at 4:51 PM Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> Hi David,
>
>
>
>    - After a little time to give early Kyber adopters time to migrate,
>    we'll roll the change out more fully.
>
> Are you planning to offer X25519MLKEM768 key share on the initial
> ClientHello (in addition to X25519), or just advertise for those servers
> willing to burn a round-trip?
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* David Benjamin <davidben@chromium.org>
> *Sent:* Tuesday, September 10, 2024 1:35 PM
> *To:* Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
> *Cc:* <tls@ietf.org> <tls@ietf.org>; pqc@ietf.org
> *Subject:* [EXTERNAL] [TLS] Re: Planned changes to Cloudflare's
> post-quantum deployment
>
>
>
> Thanks Bas! We plan to do the same for Chrome,
> replacing X25519Kyber768Draft00 with X25519MLKEM768. X25519MLKEM768 should
> be live now to a small fraction of Chrome Canary, so that servers have some
> clients in the wild to test against.
>
>
>
> After a little time to give early Kyber adopters time to migrate, we'll
> roll the change out more fully. (Due to how TLS 1.3 works, transitions for
> large KEMs are not the smoothest. Hopefully
> draft-ietf-tls-key-share-prediction will be ready for the next such
> transition.)
>
>
>
> David
>
>
>
> On Fri, Sep 6, 2024 at 7:03 AM Bas Westerbaan <bas=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
> Hi all,
>
>
>
> We are planning to replace X25519Kyber768Draft00 (0x6399)
> with X25519MLKEM768 (0x11ec) [1], a hybrid of ML-KEM-768 and X25519.
>
>
>
> We will support X25519Kyber768Draft00 and X25519MLKEM768 at the same time
> for a while to allow clients the opportunity to migrate without losing
> post-quantum security.
>
>
>
> Apart from these two, we also supported X25519Kyber768Draft00 under
> codepoint 0xfe31 and X25519Kyber512Draft00 (0xfe30). We logged zero uses of
> these two in the last week with a 1/100 sample rate. We will disable
> 0xfe31, 0xfe30 over the common weeks.
>
>
>
> Best,
>
>
>
>  Bas
>
>
>
>
>
> PS. Not sure I shared it here already, but we have public graph tracking
> client PQ key agreement deployment:
> https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption-adoption
> At the time of writing about 17% of all human traffic (by request count)
> with us is using X25519Kyber768Draft00.
>
>
>
> [1] https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
>