IETF Logo Mail Archive

[TLS] Re: ML-DSA in TLS

Deirdre Connolly <durumcrustulum@gmail.com> Tue, 19 November 2024 02:07 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D706C180B59 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 18:07:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o_BB14Ea4Eqj for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 18:07:22 -0800 (PST)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B449C180B49 for <tls@ietf.org>; Mon, 18 Nov 2024 18:07:22 -0800 (PST)
Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-43159c9f617so3056305e9.2 for <tls@ietf.org>; Mon, 18 Nov 2024 18:07:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731982040; x=1732586840; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7YdUGIcvx1UfZ6lmlLHrwOhKtsS2rd7IRU/QcdroaO0=; b=DJpNsyqnpurcFaT20DijlJcOFJTOlzGls+vHjCv4dkVkJ7UYsi0Dw5aRiA2c9S4Yjt 1ymApe7/Gk9VpsI34J/2CcwC1q30edy7OhNPb0+HyPG2R63LRlfVxxRXnKYfsHY49+zH ci53L/X7Y1WY1UV5shUUPMqUcSVoHVAO164V0qh3NhQHUcIZ/nWvSIi0sV70qbnF2Fp0 lTxwzZ2zrmgFSiR+vw7zjAZFMbRPbw86h9dyJ4Kv1l4p0t5LpbBg4RqYlsdCrTGBiVGp cpkEwLfnfaSDg5dMaXuxlf5PFpQpO+/vJeMd/69CpKI9r3R+ZfpVa9xeHPzkTOWUworf tXLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731982040; x=1732586840; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7YdUGIcvx1UfZ6lmlLHrwOhKtsS2rd7IRU/QcdroaO0=; b=mzOkCEqELIiFRM5RMhbXU2UKL8VnZJPuA57CA5MKSYU+qJ3Lw4VhAoMoVDEw6iZyq5 Srbuu9hQ916AureqSAoIaa0bu24VXHzu+k/4OVeOqrScpFoyFyxtWpXxbUc4/6qHHKxj v9ajlXDWC4Z8BLMUpdrWmz8A/sEibP8+SFC+Ehx7029dbd4qDS83inGvwq3E4byt0+B1 G9GQ+mrhwA12zg0go5TZozQnMXXRuns4Hn+vO+55NecF4uGMEa55Lbi9r9QqW9EWgpJC kqo9zkg0vBjYEgozEBk8d9r/Gzm6xfYGdHpR11KF1poPk3TJxufxj4Cd7MjiEU/3AVMX Fauw==
X-Forwarded-Encrypted: i=1; AJvYcCVQvliH2ADVTLXW+qXiaWX7kBF+kFaz9mSWVKGdKjTagWPPqA5mVNV6dMM1j5xuJAZamKU=@ietf.org
X-Gm-Message-State: AOJu0Yz2vMGYo/7DBOXZNrRscZm4Ceps4em0xPpaKyiXs2cECX599jGk XeoL9Dw1BOf5BNTxkeIkCDlnkMq+oQgOjeQ/TU8Ku37Ybin4tp1+Of6WprfABEBV6TWIVckWhjU SA9CnZT62qTedkypGbaaQbDCoLFk=
X-Google-Smtp-Source: AGHT+IGqx3dXkn3mSFeyoCrFXyWXaNqY52ADFsHKUwg2i2OFnbpcBW9hlJKdufUvPsx1su3f+nY3Xps6XEHPMDPIDro=
X-Received: by 2002:a5d:6488:0:b0:381:f443:21d3 with SMTP id ffacd0b85a97d-38225aa5effmr10183553f8f.57.1731982039456; Mon, 18 Nov 2024 18:07:19 -0800 (PST)
MIME-Version: 1.0
References: <20241116085703.138618.qmail@cr.yp.to> <9c978730-68d9-4a3f-9d3a-8e71a87ad719@redhat.com> <CAAWw3RhgZM68iRz3bhLdKZLsvBW0Bc_F1KMC5=ABY+o-LH-f7A@mail.gmail.com>
In-Reply-To: <CAAWw3RhgZM68iRz3bhLdKZLsvBW0Bc_F1KMC5=ABY+o-LH-f7A@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Mon, 18 Nov 2024 20:43:20 -0500
Message-ID: <CAFR824wfVzrkx0w9=j6Hx-YUDwBkRAeCtFPdTtj80rFYSpO90w@mail.gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: multipart/alternative; boundary="00000000000038255206273a7e41"
Message-ID-Hash: QSADTQSK5XGWF53RY3Y4YA2UAJQEVOYJ
X-Message-ID-Hash: QSADTQSK5XGWF53RY3Y4YA2UAJQEVOYJ
X-MailFrom: neried7@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "D. J. Bernstein" <djb@cr.yp.to>, "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/arpMlrxEhQpetXJY1J02pD1jz5I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

The CNSA 2.0 FAQ states, "Do not use a hybrid or other non-standardized QR
solution on NSS mission systems except for those exceptions NSA
specifically recommends to meet standardization or  interoperability
requirements", and, "because NSA is confident that CNSA 2.0 algorithms will
sufficiently protect NSS, it does not require a  hybrid solution for
security purposes." They specifically cite IKEv2 as a hybrid exception.

https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF

On Mon, Nov 18, 2024, 8:37 PM Andrey Jivsov <crypto@brainhub.org> wrote:

> The reality is that we have very tight deadlines from CNSA2.0, with
>> customers actively asking for post-quantum support. For those for whom
>> those
>> requirements apply, use of ML-DSA is not only uncontroversial, but
>> mandatory.
>
>
> CNSA 2.0, as clarified in a recent FAQ, does not prohibit ML-DSA+ECC.
>
> On Mon, Nov 18, 2024 at 5:54 AM Alicja Kario <hkario@redhat.com> wrote:
>
>> Answering to the broader thread: when I said "uncontroversial" I was
>> thinking
>> more about _how_ it should be done, not _if_ it should be used.
>>
>> Answer to email below follows.
>>
>> On Saturday, 16 November 2024 09:57:03 CET, D. J. Bernstein wrote:
>> > Watson Ladd writes:
>> >> Authentication is not like encryption.
>> >
>> > I presume that you're alluding to the following process: if the PQ
>> > signature system is broken, we revert to ECC signatures, and then the
>> > attacker doesn't benefit from forging the no-longer-accepted signatures
>> > (whereas we can't stop attackers from breaking previous ciphertexts).
>> >
>> > This process leaves computers completely exposed until they've reverted
>> > to ECC. Sure, some environments are fast to make changes, but some
>> > aren't. For comparison, using ECC+PQ in the first place avoids this
>> > security failure, and will make many people less hesitant to upgrade.
>> >
>> > The revert-in-case-of-disaster process also leaves computers completely
>> > exposed to PQ attacks that haven't come to the public's attention yet.
>> > Out of the 69 round-1 submissions to NIST, 33 have been publicly broken
>> > by now (see https://cr.yp.to/papers.html#pqsrc) with some of the
>> > attacks not published for years; is it so hard to imagine that
>> > large-scale attackers found some attacks before the public did?
>> >
>> > More broadly, conflating "no attacks have been published" with "no
>> > attacks are being carried out" is unjustified, an extreme form of
>> > availability bias. Occasionally there are leaks from attackers
>> > illustrating how much damage this mistake has done. Example:
>> >
>> >
>> >
>> https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html
>>
>> All good points, ones I agree with, but I think those are arguments
>> against wide deployment of pure ML-DSA, not against describing how
>> the algorithms should be implemented on technical level.
>>
>> The reality is that we have very tight deadlines from CNSA2.0, with
>> customers
>> actively asking for post-quantum support. For those for whom those
>> requirements
>> apply, use of ML-DSA is not only uncontroversial, but mandatory.
>>
>> And personally, I'd prefer them using ML-DSA than LMS or XMSS...
>>
>> For the wider Internet, where we want fail-safe options, yes, hybrids are
>> probably better. Unfortunately, I don't think we have a rough consensus in
>> LAMPS on how hybrid signatures should be done just yet, and without that,
>> we can't standardise it for TLS.
>>
>> (that being said, I don't think ML-DSA will be completely broken
>> over-night,
>> I suspect it will be weakened over time, so migration off of it won't need
>> to happen with high agility... but only time will tell how it will play
>> out)
>> --
>> Regards,
>> Alicja (nee Hubert) Kario
>> Principal Quality Engineer, RHEL Crypto team
>> Web: www.cz.redhat.com
>> Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
>> <https://www.google.com/maps/search/Purky%C5%88ova+115,+612+00,+Brno,+Czech+Republic?entry=gmail&source=g>
>>
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.29.0 | Report a Bug | By Email | System Status