IETF Logo Mail Archive

[TLS] Re: Deprecate NIST curves in hybrid key exchanges?

Loganaden Velvindron <loganaden@gmail.com> Tue, 10 June 2025 08:53 UTC

Return-Path: <loganaden@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6E9E133122DD for <tls@mail2.ietf.org>; Tue, 10 Jun 2025 01:53:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jt8C82QEdd_N for <tls@mail2.ietf.org>; Tue, 10 Jun 2025 01:53:38 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 22AE233122D8 for <tls@ietf.org>; Tue, 10 Jun 2025 01:53:38 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-23539a1a421so44342985ad.0 for <tls@ietf.org>; Tue, 10 Jun 2025 01:53:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749545617; x=1750150417; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=E4HuwJPUo1EbHP74Gt/+3Gtg0m7GBl6isKq1VI1A+sE=; b=d3MLnz9B/7eH+tymAnIzMJpCe69bE1utSSpTCPcFLcoM+SiKdcL6kzOwg1TXMQ1sEM e1rSiLm3PybUjzhHqEb3wkXC24wYnu6DuAbhhMwGYP8GMxStG/+sWaR5mbA2ZKzBNIOX aPZGlrXl9MJbLMTOYNfcibCSu2HJZ94UZs80NjsTzY8xe3iKtZcL8GgXV8e6V52H2fM0 aTUj9xmoFzvGBiw6wJ391QezbEYoyuUcpSqWPfv3UC9MsxnFdeuzRrXHSg3FnuJscEes hBYUTX3XQuMnd1feEuG5bX0KMOMO/5caaiJjQ62EVA7KIt5BDTJSBsDD976ub5xvGZ2d h28g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749545617; x=1750150417; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E4HuwJPUo1EbHP74Gt/+3Gtg0m7GBl6isKq1VI1A+sE=; b=PZelqDcolA5a5Sg4Ou8DDdj9GF/5gCvTtaEwVCceJeOIRrciCO0W1uJrZ5vmSygu2W rauTAQQK7NuCQp6N0mRZcpkdfBHw5k38bjf9qXWhQTG82sHpxAorIVg/GWdNn+C0Verj ZB51O47jt6HRSb1UQTy0D7uNz2Alb4QGpZcE4HXi/XOmfeCuaPfMHJqKBiZsLeJDYjF3 4wqgY9XdmJBmUtzHD5jts6sJQvs0Vcjwpb4zWE+VlcMcFy3lO9qx5K38KL8JJLQxkqjH cFi/yu1svBWm91x0z3cGfyMBztsewP4b2VD+cIDPRnwQxtrUjTEqV5veJpg5UCqljf4f UoOw==
X-Gm-Message-State: AOJu0YyFrDO//hnlpBY1I3AcEggMfVQrp+A1N5vYk0Akzm+vZcrvk+e8 KiBbaxgJUVCpHYQvYG15kXNnaO8YZnC3p6pRxr3QPGNIkaFuhZldxmq/msLiccr23fRTtkZytMO tAFrk5u4sU0aYXYbt3+4dJF8rvpeskImGzVgX
X-Gm-Gg: ASbGncu3sWQ0qiNgcwBk+ZfsEb0jNAC+phpZyo7up2rNZ3pdvEd5a6T8t+PIBZUFeRs 0dtkicYFCsnpwouv39Z8+WXBD8vrOfaPnP8aSlfqAGN7vmD1PbUwz76rXuKQ8qpcpIz3e6z25Nj XyL4vWqDRy4sfm4EvDw7aPiNtIk/MYN9b5xvSxCxYjIXkIprTa29swHuzc4Yj7q8yI/xsLejgGW IjI6frTWg==
X-Google-Smtp-Source: AGHT+IG3hSeHtuxIWZcUts2Z/+I1xrZpMwhTwNkeiHe6FE4yyxQSV8FjVuLTGzjjxLoxLaq/Fx9MwpaBMTPWyK2cRWE=
X-Received: by 2002:a17:90b:5607:b0:311:e358:c4af with SMTP id 98e67ed59e1d1-313474077f7mr27052091a91.16.1749545617141; Tue, 10 Jun 2025 01:53:37 -0700 (PDT)
MIME-Version: 1.0
References: <1195532cc0ad36ed049a209b6009ce0ee2469b80.camel@aisec.fraunhofer.de>
In-Reply-To: <1195532cc0ad36ed049a209b6009ce0ee2469b80.camel@aisec.fraunhofer.de>
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Tue, 10 Jun 2025 12:53:24 +0400
X-Gm-Features: AX0GCFtOEU3oPFKTbFUi6KP6R99M_7Qmf5zyXWFlhiwXkubw__mIss5rpdGdTKQ
Message-ID: <CAOp4FwQqDjpYR6HJh8ERwZEHNX6auqMaM=W6ak+OkUO4MkYFpQ@mail.gmail.com>
To: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: KI6ZZPUC7Q43J5QXEO7DW3IZQHMJPBEE
X-Message-ID-Hash: KI6ZZPUC7Q43J5QXEO7DW3IZQHMJPBEE
X-MailFrom: loganaden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Deprecate NIST curves in hybrid key exchanges?
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dhoKJpcI2KprDcM6nV1XyVl7jGg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, 10 Jun 2025 at 12:30, Bellebaum, Thomas
<thomas.bellebaum@aisec.fraunhofer.de> wrote:
>
> Hi everyone,
>
> I have a question about draft-ietf-tls-ecdhe-mlkem. Some context:
>
> ECDHE can be performed over any suitable elliptic curve, and different curves have different tradeoffs.
> Focusing on KEX mentioned in RFC8446, Section 9, the (MUST support) P-256 provides benefits in terms of compliance with government regulations in the US, while the (much younger) curves in RFC 7748 are designed to circumvent some of the flaws discovered with P-256 deployments. It made sense to specify both of them, I think.
>
> The picture is different when looking at ML-KEM (and other PQ) hybrids. If I understand correctly, FIPS-compliance only requires one of the KEX algorithms to be approved, so the draft states:
>
> > All constructions aim to provide a FIPS-approved key-establishment scheme (as per [SP56C]).
>
> At the same time there are regular concerns on this mailing list about the dangers of hybrids. Specifically, these usually relate to the amount of code in a TLS-enabled application, and possible security issues within these implementations.
>
> This begs the question: Why are there several different curves used in the hybrids?
> More specifically, given the low amount of code required to support ECDHE on X25519 [1], why would we require applications to implement other curves as well, long term?
>
> The draft says about SecP256r1MLKEM768:
>
> > The goal of this group is to support a use case that requires both shared secrets to be generated by FIPS-approved mechanisms.
>
> Can someone please point me at the details of this use case, so that I can better understand the tradeoff?

I believe that a large government agency (nsa.gov) is using SecP256r1
on its website as a key exchange for TLS ?

 TLS 1.2 Cipher Suites:
     Attempted to connect using 156 cipher suites.

     The server accepted the following 3 cipher suites:
        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256       256
ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             256
ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             128
ECDH: prime256v1 (256 bits)

I suspect that maybe other US government agencies might support
secp256r1 or prefer it for their own reasons.
Maybe the US agencies can publicly express themselves on this matter ?

Sometime ago, I made a proposal to have X25519 become a "MUST" for TLS
1.3 but that proposal failed to reach consensus.

v2.31.3 | Report a Bug | By Email | System Status