IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Sophie Schmieg <sschmieg@google.com> Thu, 14 March 2024 19:41 UTC

Return-Path: <sschmieg@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5473C14F6BE for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 12:41:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.606
X-Spam-Level:
X-Spam-Status: No, score=-22.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DgdY6EXXOrP for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 12:41:07 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3608C14F6A1 for <tls@ietf.org>; Thu, 14 Mar 2024 12:41:06 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id ada2fe7eead31-4733d7040dfso185370137.0 for <tls@ietf.org>; Thu, 14 Mar 2024 12:41:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710445266; x=1711050066; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0P7+DYhmbH8LPSfXbRpD71+olf+i9pKo7Ku/n7bUlbg=; b=uYebYX5ky/jLBA5qnBr5w8SGQBnSND48E8yL2uylhKEw9usxrec04wj4wUVHvB2yHX bLCIo5Faf5Dl8ro9SA2RUwep7vqDS/m+//DKAYbVh3ajlW0e4PdKaUYn1fKQBXfZbjmm CmG329z/7oEC/VH5DmWj8qVDBzNwPQ3Bm7qgcui22Tutx6CCyD7xI5m+9OqzCQx0oGGx rdYcI/zr76xoVZY+aC/YlcNpEeNdIqwVTMniKbDNxrrfuJ3yvw6z09T26MwJztv0QVko xc18p8rTCxkNX2WeKBi71KyUQ2JkRhkt4aXvFcBuX/XPW2m5cdxvfdOXz9OLWYc2Z1i3 GHxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710445266; x=1711050066; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0P7+DYhmbH8LPSfXbRpD71+olf+i9pKo7Ku/n7bUlbg=; b=pnHsA6xQ/3bP3gVi48QOhXbQQTMrLeWwsuizBagGXwZihTXkYVon4+WKUuGetaqSGa Bw1RdkpOcJwlUPJ122vV/0lgNxEy8ruPnB0QnO/LUvuOS+r6s4gZks1CRs5nG6oHUQVy e30YPOMlP4uLGGefglYxYfCzUlx73X/e4oo6Wd2V6SZkZAlzcS6wJ6AXYGqCTmlwJ15j 1Zlx1dAkC5mmzldBY2eWOmt/Xkedav3cYPQ+/jXnLhYtLbIKgMFXw8k7H0na6ebB+Okp i2bjKIvehMftzW4Ysg1NY+blb5rYGDe8+PzEbfmtkNmOlitlczlNE2PaJzZfZYSkE9TC rCqw==
X-Forwarded-Encrypted: i=1; AJvYcCWWIwzrGVuW0ENwjHgr2tBM/23hAxy7yKY/0fNpraO9WSlpfNCdfYSYEWFLGpc9CDrI9OoLEa6NjaVE3m4=
X-Gm-Message-State: AOJu0YwvQ7SWz1WUE+oZOvFJMnRbW+yIhspoQmV5OQJuEUjlT3nqQC2w yvpMSnMlNgpe/YY1kS4xcOWTHhPGTWlYeuTCZzq4NT2++e0XpkjlKZlQE/6/TprxsvxoBN+X+lQ T568OciWv87iQJb4DF6t4l6Cc+wp1m6QhdNeS
X-Google-Smtp-Source: AGHT+IHgLNnLTFzF0jTlTBM/mY5LYbf3rI22ZUDc+Kv+isioWd9426J9HkZwgubIxWPhb0JQKMOfIMumH3z26Beehk0=
X-Received: by 2002:a05:6102:419f:b0:472:7498:3edd with SMTP id cd31-20020a056102419f00b0047274983eddmr1572306vsb.7.1710445265595; Thu, 14 Mar 2024 12:41:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CAFR824ySu7+kA4a_3n9ytg6=3Ow-CPHR+dUJxYOhyh3wOnt1VQ@mail.gmail.com> <8ccc5807-d958-4d9d-8d8c-9b181f0fd708@nist.gov>
In-Reply-To: <8ccc5807-d958-4d9d-8d8c-9b181f0fd708@nist.gov>
From: Sophie Schmieg <sschmieg@google.com>
Date: Thu, 14 Mar 2024 12:40:50 -0700
Message-ID: <CAEEbLAbBB-BkjPWKw2DXJbTG8z4vdJ4sHiVd2Od+6tS0sGNThA@mail.gmail.com>
To: "David A. Cooper" <david.cooper=40nist.gov@dmarc.ietf.org>
Cc: Deirdre Connolly <durumcrustulum@gmail.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007717d10613a412e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eYUG4DDkfoaGeMAkZHVGGeqcVq0>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 19:41:10 -0000

There was a push to change the parsing logic for ML-KEM public keys to
never fail, by silently reducing, without changing the hash of the public
key. I am not sure if NIST ended up adopting that change for their final
standard (I hope they did, I think it's the best way to handle this
problem), which would mean that any appropriately sized binary string is a
valid ML-KEM public key. For ciphertexts, this property is already the
case, due to the compression that is applied in ML-KEM. If NIST
incorporated this change, there would be no way for the ML-KEM based key
agreement to fail explicitly, any failure would result in an implicit
rejection.
In the end, this seems to be the same as with elliptic curves as is as
well, point-not-on-curve checks can result in an explicit rejection of a
keyshare (for the curves where it can occur), and manipulation of the
keyshare (by an attacker or some accidental bit flip that somehow was not
caught) would result in an implicit rejection here as well, with server and
client computing a different shared secret. The only new possible error
path I see is due to random decryption failure of a KEM, but given the
cryptographically low chance, I'm not certain if this failure needs special
handling in any case, and shouldn't be treated the same as a corrupted key
share. After all, they are so unlikely that "cosmic rays flipped all the
right bits for QUIC error correction to not notice" is far more likely to
result in a decryption error, so treating it the same as a decryption
failure due to a corrupted ciphertext seems fine to me.

On Thu, Mar 14, 2024 at 11:43 AM David A. Cooper <david.cooper=
40nist.gov@dmarc.ietf.org> wrote:

> I do not believe that "decode_error" would be the correct alert. As the
> text currently says:
>
> *Failures* Some post-quantum key exchange algorithms, including ML-KEM,
> have non-zero probability of failure, meaning two honest parties may derive
> different shared secrets. This would cause a handshake failure. ML-KEM has
> a cryptographically small failure rate; implementers should be aware of the
> potential of handshake failure. Clients can retry if a failure is
> encountered.
>
> At least in the case of ML-KEM, decapsulation failures are implicit. As
> noted in the text above, the parties would derive different shared secrets
> (but they wouldn't know it). So, the client would not know that
> decapsulation failed, it would just be unable to decrypt the encrypted
> extensions, certificate, etc. The client would have no way of knowing
> whether this happened because of an ML-KEM decapsulation failure (extremely
> unlikely) or because some data was changed in transit (much more likely).
>
> Given how small the ML-KEM decapsulation failure rate is (2^-139 or less),
> I wouldn't be surprised if random bit flips in transit that aren't caught
> by a CRC or other check are more likely than ML-KEM decapsulation failures.
> Since the two are indistinguishable to the client, the client would have to
> handle them in the same way. So, I would suggest either omitting this
> paragraph or just note that a decapsulation failure would be
> indistinguishable from a scenario in which some data was changed in
> transit, and so would be handled in the same way.
>
> On 3/13/24 7:08 PM, Deirdre Connolly wrote:
>
> 4. In the Discussion section (on github), does the portion on failures
>> need to contain more information about how a failure should be handled in
>> TLS? Should a decrypt_error alert be sent?
>
>
> Oh very good point, DH doesn't usually fail like this; either because of
> fundamental (incredibly unlikely) decapsulation failure rates, or just a
> bug, this is good to handle, and we should probably update -hybrid-design
> to match. I've tracked this in this GitHub issue
> <https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/issues/1>
> for now. For my own sake, here's the `decode_error` defintion from RFC
> 8446:
>
> decode_error:  A message could not be decoded because some field was
>
>       out of the specified range or the length of the message was
>
>       incorrect.  This alert is used for errors where the message does
>
>       not conform to the formal protocol syntax.  This alert should
>
>       never be observed in communication between proper implementations,
>
>       except when messages were corrupted in the network.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>


-- 

Sophie Schmieg | Information Security Engineer | ISE Crypto |
sschmieg@google.com

v2.23.0 | Report a Bug | By Email