Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
Kris Kwiatkowski <kris@amongbytes.com> Wed, 17 August 2022 19:31 UTC
Return-Path: <kris@amongbytes.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 927E2C14CE33 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 12:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kr3YLL0w3goi for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 12:31:37 -0700 (PDT)
Received: from 8.mo579.mail-out.ovh.net (8.mo579.mail-out.ovh.net [46.105.47.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72C3DC14F736 for <tls@ietf.org>; Wed, 17 Aug 2022 12:31:36 -0700 (PDT)
Received: from mxplan8.mail.ovh.net (unknown [10.109.146.70]) by mo579.mail-out.ovh.net (Postfix) with ESMTPS id 3995F2469C for <tls@ietf.org>; Wed, 17 Aug 2022 19:31:33 +0000 (UTC)
Received: from amongbytes.com (37.59.142.103) by mxplan8.mail.ovh.net (172.16.2.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2507.9; Wed, 17 Aug 2022 21:31:33 +0200
Authentication-Results: garm.ovh; auth=pass (GARM-103G0051ca8beed-21eb-4b95-8087-a5b6e9028d30, 0B2EA65F9E5EA21FD2A1445087FB99564F9C57D4) smtp.auth=kris@amongbytes.com
X-OVh-ClientIp: 169.231.190.9
Content-Type: multipart/alternative; boundary="------------5bsX2wtGcH0dow1bOLc4IGQ0"
Message-ID: <680a267a-6cd1-cf70-8f01-c31d9e823025@amongbytes.com>
Date: Wed, 17 Aug 2022 20:31:23 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: tls@ietf.org
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <Yve/S5OoKZMnUjNz@LK-Perkele-VII2.locald> <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Kris Kwiatkowski <kris@amongbytes.com>
In-Reply-To: <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com>
X-Ovh-Tracer-GUID: 41ebbbb5-135f-4191-a1af-b2acc26b1ff5
X-Ovh-Tracer-Id: 4761712182002564887
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvfedrvdehiedgudeflecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurheptgfkffggfgfuvfhfhfgjsegrtderredtfeejnecuhfhrohhmpefmrhhishcumfifihgrthhkohifshhkihcuoehkrhhishesrghmohhnghgshihtvghsrdgtohhmqeenucggtffrrghtthgvrhhnpedvjedvfeeulefhledtgedujeelteejkeeutedutdffuefhfeevffeffedvveehffenucfkpheptddrtddrtddrtddpfeejrdehledrudegvddruddtfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphhouhhtpdhhvghlohepmhigphhlrghnkedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehkrhhishesrghmohhnghgshihtvghsrdgtohhmpdhnsggprhgtphhtthhopedupdhrtghpthhtohepthhlshesihgvthhfrdhorhhgpdfovfetjfhoshhtpehmohehjeel
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ac10W9ElA-sHngFulebU_PTYrtg>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 19:31:39 -0000
I support those choices, but would also add P256+Kyber512. * (1) same reason as below (by Scott) * (2) to be able to declare security of generated keys in FIPS-mode for _both_ - classical and post-quantum schemes (once Kyber is standardized). After double-checking with NIST today, currently there is no clear plan for updating SP 800-56A with X25519 (opposite to SP 800-186). Kind regards, Kris On 8/17/22 20:06, Scott Fluhrer (sfluhrer) wrote: > So that we get an initial answer to this (so we can put it into the draft - of course, we can debate what's in the draft...) > > Illari suggested: > > X25519+Kyber768 > P384+Kyber768 > > Well, I would suggest adding in > > X25519+Kyber512 > > For those situations where we need to limit the message size (perhaps DTLS and QUIC). > > Is the working group happy with that? > >> -----Original Message----- >> From: TLS<tls-bounces@ietf.org> On Behalf Of Ilari Liusvaara >> Sent: Saturday, August 13, 2022 11:12 AM >> To:TLS@ietf.org >> Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design >> >> On Fri, Aug 12, 2022 at 06:13:38PM +0000, Scott Fluhrer (sfluhrer) wrote: >>> Again, this is late, however Stephen did ask this to be discussed in the >> working group, so here we go: >>>> -----Original Message----- >>>> From: TLS<tls-bounces@ietf.org> On Behalf Of Stephen Farrell >>>> Sent: Saturday, April 30, 2022 11:49 AM >>>> To: Ilari Liusvaara<ilariliusvaara@welho.com>;TLS@ietf.org >>>> Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design >>>> >>>> >>>> Hiya, >>>> >>>> On 30/04/2022 10:05, Ilari Liusvaara wrote: >>>>> On Sat, Apr 30, 2022 at 01:24:58AM +0100, Stephen Farrell wrote: >>>>>> - section 5: IMO all combined values here need to have >>>>>> recommended == "N" in IANA registries for a while and that needs >>>>>> to be in this draft before it even gets parked. Regardless of >>>>>> whether or not the WG agree with me on that, I think the current >>>>>> text is missing stuff in this section and don't recall the WG >>>>>> discussing that >>>>> I think that having recommended = Y for any combined algorithm >>>>> requires NIST final spec PQ part and recommended = Y for the >>>>> classical part (which allows things like x25519 to be the classical part). >>>>> >>>>> That is, using latest spec for NISTPQC winner is not enough. This >>>>> impiles recommended = Y for combined algorithm is some years out >>>>> at the very least. >>>> I agree, and something like the above points ought be stated in the >>>> draft after discussion in the WG. >>> Section 5 is 'IANA considerations', and would be where we would list >>> the various supported hybrids, which we don’t at the moment. >>> >>> Well, if we were to discuss some suggested hybrids (and we now know >>> the NIST selection), I would suggest these possibilities: >>> >>> - X25519 + Kyber512 >>> - P256 + Kyber512 >>> - X448 + Kyber768 >>> - P384 + Kyber768 >> I would take: >> >> X25519+Kyber768 >> P384+Kyber768 >> >> The reason for taking Kyber768 is because the CRYSTALS team recommends >> it. The reason for taking P384 is because it is CNSA-approved, so folks that >> need CNSA can use that. >> >> Of course, that is likely to bust packet size limits. I do not think that is an >> issue in TLS, but DTLS and QUIC might be another matter entierely (in theory >> DTLS and QUIC can handle it just fine, practice might be another matter >> entierely. And if such problems are there, it is good to know about those... >> This stuff is experimental). >> >> >>> Of course, it's possible that NIST will tweak the definition of Kyber; >>> that's just a possibility we'll need to live with (and wouldn't change >>> what hybrid combinations we would initially define) >> I would think such changes would just mean the interim post-quantum kex is >> not compatible with the final one. Not that big of deal, there are tens of >> thoursands of free codepoints. If an implementation needs both, it can >> probably share vast majority of the code. >> >> >> >> -Ilari >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] WGLC for draft-ietf-tls-hybrid-design Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Nimrod Aviram
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Nimrod Aviram
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Douglas Stebila
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Russ Housley
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Florence D
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Jonathan Hammell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Bas Westerbaan
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kris Kwiatkowski
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kampanakis, Panos
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kampanakis, Panos
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Scott Fluhrer (sfluhrer)
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Bas Westerbaan
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kris Kwiatkowski
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Sofía Celi
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Kris Kwiatkowski
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Bas Westerbaan
- Re: [TLS] WGLC for draft-ietf-tls-hybrid-design Ilari Liusvaara