IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Kris Kwiatkowski <kris@amongbytes.com> Wed, 17 August 2022 19:31 UTC

Return-Path: <kris@amongbytes.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 927E2C14CE33 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 12:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kr3YLL0w3goi for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 12:31:37 -0700 (PDT)
Received: from 8.mo579.mail-out.ovh.net (8.mo579.mail-out.ovh.net [46.105.47.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72C3DC14F736 for <tls@ietf.org>; Wed, 17 Aug 2022 12:31:36 -0700 (PDT)
Received: from mxplan8.mail.ovh.net (unknown [10.109.146.70]) by mo579.mail-out.ovh.net (Postfix) with ESMTPS id 3995F2469C for <tls@ietf.org>; Wed, 17 Aug 2022 19:31:33 +0000 (UTC)
Received: from amongbytes.com (37.59.142.103) by mxplan8.mail.ovh.net (172.16.2.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2507.9; Wed, 17 Aug 2022 21:31:33 +0200
Authentication-Results: garm.ovh; auth=pass (GARM-103G0051ca8beed-21eb-4b95-8087-a5b6e9028d30, 0B2EA65F9E5EA21FD2A1445087FB99564F9C57D4) smtp.auth=kris@amongbytes.com
X-OVh-ClientIp: 169.231.190.9
Content-Type: multipart/alternative; boundary="------------5bsX2wtGcH0dow1bOLc4IGQ0"
Message-ID: <680a267a-6cd1-cf70-8f01-c31d9e823025@amongbytes.com>
Date: Wed, 17 Aug 2022 20:31:23 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: tls@ietf.org
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <Yve/S5OoKZMnUjNz@LK-Perkele-VII2.locald> <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Kris Kwiatkowski <kris@amongbytes.com>
In-Reply-To: <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com>
X-Ovh-Tracer-GUID: 41ebbbb5-135f-4191-a1af-b2acc26b1ff5
X-Ovh-Tracer-Id: 4761712182002564887
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvfedrvdehiedgudeflecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurheptgfkffggfgfuvfhfhfgjsegrtderredtfeejnecuhfhrohhmpefmrhhishcumfifihgrthhkohifshhkihcuoehkrhhishesrghmohhnghgshihtvghsrdgtohhmqeenucggtffrrghtthgvrhhnpedvjedvfeeulefhledtgedujeelteejkeeutedutdffuefhfeevffeffedvveehffenucfkpheptddrtddrtddrtddpfeejrdehledrudegvddruddtfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphhouhhtpdhhvghlohepmhigphhlrghnkedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehkrhhishesrghmohhnghgshihtvghsrdgtohhmpdhnsggprhgtphhtthhopedupdhrtghpthhtohepthhlshesihgvthhfrdhorhhgpdfovfetjfhoshhtpehmohehjeel
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ac10W9ElA-sHngFulebU_PTYrtg>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 19:31:39 -0000

I support those choices, but would also add P256+Kyber512.
* (1) same reason as below (by Scott)
* (2) to be able to declare security of generated keys in FIPS-mode for
       _both_ - classical and post-quantum schemes (once Kyber is standardized).
After double-checking with NIST today, currently there is no clear plan for
updating SP 800-56A with X25519 (opposite to SP 800-186).

Kind regards,
Kris

On 8/17/22 20:06, Scott Fluhrer (sfluhrer) wrote:
> So that we get an initial answer to this (so we can put it into the draft - of course, we can debate what's in the draft...)
>
> Illari suggested:
>
> X25519+Kyber768
> P384+Kyber768
>
> Well, I would suggest adding in
>
> X25519+Kyber512
>
> For those situations where we need to limit the message size (perhaps DTLS and QUIC).
>
> Is the working group happy with that?
>
>> -----Original Message-----
>> From: TLS<tls-bounces@ietf.org>  On Behalf Of Ilari Liusvaara
>> Sent: Saturday, August 13, 2022 11:12 AM
>> To:TLS@ietf.org
>> Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
>>
>> On Fri, Aug 12, 2022 at 06:13:38PM +0000, Scott Fluhrer (sfluhrer) wrote:
>>> Again, this is late, however Stephen did ask this to be discussed in the
>> working group, so here we go:
>>>> -----Original Message-----
>>>> From: TLS<tls-bounces@ietf.org>  On Behalf Of Stephen Farrell
>>>> Sent: Saturday, April 30, 2022 11:49 AM
>>>> To: Ilari Liusvaara<ilariliusvaara@welho.com>;TLS@ietf.org
>>>> Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
>>>>
>>>>
>>>> Hiya,
>>>>
>>>> On 30/04/2022 10:05, Ilari Liusvaara wrote:
>>>>> On Sat, Apr 30, 2022 at 01:24:58AM +0100, Stephen Farrell wrote:
>>>>>> - section 5: IMO all combined values here need to have
>>>>>> recommended == "N" in IANA registries for a while and that needs
>>>>>> to be in this draft before it even gets parked. Regardless of
>>>>>> whether or not the WG agree with me on that, I think the current
>>>>>> text is missing stuff in this section and don't recall the WG
>>>>>> discussing that
>>>>> I think that having recommended = Y for any combined algorithm
>>>>> requires NIST final spec PQ part and recommended = Y for the
>>>>> classical part (which allows things like x25519 to be the classical part).
>>>>>
>>>>> That is, using latest spec for NISTPQC winner is not enough. This
>>>>> impiles recommended = Y for combined algorithm is some years out
>>>>> at the very least.
>>>> I agree, and something like the above points ought be stated in the
>>>> draft after discussion in the WG.
>>> Section 5 is 'IANA considerations', and would be where we would list
>>> the various supported hybrids, which we don’t at the moment.
>>>
>>> Well, if we were to discuss some suggested hybrids (and we now know
>>> the NIST selection), I would suggest these possibilities:
>>>
>>> - X25519 + Kyber512
>>> - P256 + Kyber512
>>> - X448 + Kyber768
>>> - P384 + Kyber768
>> I would take:
>>
>> X25519+Kyber768
>> P384+Kyber768
>>
>> The reason for taking Kyber768 is because the CRYSTALS team recommends
>> it. The reason for taking P384 is because it is CNSA-approved, so folks that
>> need CNSA can use that.
>>
>> Of course, that is likely to bust packet size limits. I do not think that is an
>> issue in TLS, but DTLS and QUIC might be another matter entierely (in theory
>> DTLS and QUIC can handle it just fine, practice might be another matter
>> entierely. And if such problems are there, it is good to know about those...
>> This stuff is experimental).
>>
>>
>>> Of course, it's possible that NIST will tweak the definition of Kyber;
>>> that's just a possibility we'll need to live with (and wouldn't change
>>> what hybrid combinations we would initially define)
>> I would think such changes would just mean the interim post-quantum kex is
>> not compatible with the final one. Not that big of deal, there are tens of
>> thoursands of free codepoints. If an implementation  needs both, it can
>> probably share vast majority of the code.
>>
>>
>>
>> -Ilari
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email