IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

John Mattsson <john.mattsson@ericsson.com> Thu, 09 November 2023 13:01 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C19FC17061F for <tls@ietfa.amsl.com>; Thu, 9 Nov 2023 05:01:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DShVm-3Thch for <tls@ietfa.amsl.com>; Thu, 9 Nov 2023 05:01:46 -0800 (PST)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2083.outbound.protection.outlook.com [40.107.247.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC2DAC1705F6 for <tls@ietf.org>; Thu, 9 Nov 2023 05:01:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IE9fVDTJsUWozSRpMas1vOn94Mbwx17IlMbByZzjiW9xAvGEP8jVxGjVF8QnCJ7BmvBgCRLMZxf0a6SKt1BoUIXWXBvc5oqHe7xk+mYM3qm+oO+o9O88gw/RqFZoLsDFud1QIeRtXNd+NK2sMPAJ/D90nNeepR3Bk7sOlOKr529hkmGsq0upFz+goBklDrrG7y5Op5cRdfH/kVWcMStODmrSNc6lQIZys2Ha7+TgKRzVuL6p9PRAVTA9Y7TwjASxiWEmuGJodiAC91wPWSzg6AvHJsTk8KIMxPxVyWbtCHKqE6C5PHwLoPr5k6aao8+qW4Ul9GvlIti9BIuzVX3SAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=s9fCj+LzmKKc71RS7zdUvn2oS8/AQx0QQ6vKAiL3qGw=; b=NsN3Xm0F4Yyq44iytYzdUSHN6EnthPwmvVZNCBPCoeNV7mjg8ATQLZxAtY+fSwoYJHyyxlbJQ9QkCSqSZkGJW7x6NeyIlSNCprTsLxYFvAtWVN6wIRtzPyiI1zS47iUUu+G97B4m3bhRjOkuESEkKR/8QHBhDOyF/85+dEA6xAiW+cw6u2QDKKHUGqYnaNKlZa1bRTtLC3gEZ1EK+GDrZBK4Cf2Pf/T/WhfYbYVjiNHAoW8pELS+kQq7wj49jRQkFTXdXhjUs8zvpE38fKJJqx5VR4h1gVlkORPkOAyp6CgvUfJdmmLVQkifVju1EkiJBOnQwngpQiga72fCACMJtA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s9fCj+LzmKKc71RS7zdUvn2oS8/AQx0QQ6vKAiL3qGw=; b=nixBAZlTf/N3WLRbt6iKY5cukgLCcuHRc+ZZ7pHilFRh6aDyqAWf/DXOwbHENI88BaYIwQV4TMUAOPhxXquK565fm5UkpudRpY3RCxZxSFJhYCH2nevnvzgyKiby7b6eYk+g6LVrmDpFLnFWo9Qgpvsrj+39AOoXk/iFolcwoFayXo6GEue6kyy6GEgfUU2cbW+0mksoYR3D9ZJf64AKnV1/FaZ/Zzz1xvZhOrL3vxN0lPXgf/+3VhBDSlOcvhW8CgNDPDwP/XBrWoh/nLk6GpguNaJhmSQWtBBwomhGLO1txbzLvI77Ul9B80Q65YKoWBWEq1gaB86R8vshHNge/w==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB7993.eurprd07.prod.outlook.com (2603:10a6:10:2a4::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.19; Thu, 9 Nov 2023 13:01:41 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb%2]) with mapi id 15.20.6954.029; Thu, 9 Nov 2023 13:01:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
CC: Sophie Schmieg <sschmieg@google.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
Thread-Index: AQHaEuAPBWr8lcufxk+ehIDJ8vyvBLBxqpCYgAAnfICAAAe6AIAAGape
Date: Thu, 09 Nov 2023 13:01:41 +0000
Message-ID: <GVXPR07MB9678962F20BE0FCB979682BC89AFA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAEEbLAZECSX+LvjMgA+kUpkybs-S92L2Te58Y35Pytu2CA2DhA@mail.gmail.com> <GVXPR07MB96784CF76D3DE39BE67D72F289AFA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CH0PR11MB5444463A58964CEB0F91E7F2C1AFA@CH0PR11MB5444.namprd11.prod.outlook.com> <CAFR824zX6LMYNge=eXju52zoV=kpSrZVem4z+hyyX-9NdJbq6Q@mail.gmail.com>
In-Reply-To: <CAFR824zX6LMYNge=eXju52zoV=kpSrZVem4z+hyyX-9NdJbq6Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB7993:EE_
x-ms-office365-filtering-correlation-id: 148ac544-f62a-4b0b-9c80-08dbe1240455
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2NIZ/0zGo0BugY36U5psKj+SjmKOYTDD4ldq5+hQSvVevZlZ8gJwV/Cq9zfjYf7R7BipA6N+AzxjSAM3GLLnzhRYxrlSsrHxIPF7wpHUVBHEhBypdA5Iaw0kOFuNp/1h6G89b95SM1BcMRc8dHSduNytayh6j/fOXukcvwu7NSPakNfepRiRMydaSUQu0B+gECf2HdYdIzPgZiw1wiJpFXgDirCVk9RFQmrvHQdXWSeJHLCguMMXn8nfkvyn/xXCZ84q51Dc876W/69cXGXC/plRgySWT3pE+9atk7qFUrG0wtyDrZktwP6rXWBpzbTInkHLiBgEPr8V3P9GFZ9ZkkpHvQYpnhnybtFX2IoN4mgSOydfLoeIc+v2zWcFIvlcS8QyFwL+RRJoExkHvZYRBACJJmHiu9Dg+ytbCMAn0cK7FkX+zbee86alpFTI4aFVm7oXKK/CgNUZvTDoFMIRKi9ThNRlC5DgsMsn6ghbpnXKrZmYGfOluAkaOMzbybkRC/F8kNalFSlwZ5RqoucgYX1QnJszO6071AFD1GWAUjQ7yAsBdmhoz7133TnoJxzfA64rk15R+jOuSxF+7BwH2KLy0kZBYeqhTC3PQIdk5V75yksoQ2tmUkrgrzKN0wbG4JNi2qJQycjzG0SeZS8p0bvq3Ip4RU+q+ePpd9XlwU3mm0lIW3OsUVoDhHCrFsSajhNS9WoIlACteM/caBWBc2uFJXVVGNbFt6AxjxLRP/g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(346002)(366004)(136003)(376002)(230922051799003)(230173577357003)(230273577357003)(64100799003)(186009)(1800799009)(451199024)(76116006)(55016003)(66946007)(66556008)(64756008)(66446008)(54906003)(66476007)(44832011)(110136005)(21615005)(316002)(52536014)(8676002)(8936002)(5660300002)(4326008)(53546011)(82960400001)(122000001)(83380400001)(66574015)(2906002)(26005)(478600001)(966005)(71200400001)(7696005)(41300700001)(6506007)(38070700009)(86362001)(33656002)(9686003)(166002)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bztpSi1AZszs9EuMszQMeEXa2+8ZDymti6fs3NtuEZsYUEkjWV3O1hZqgVMXWv4d0r/+B+hYc6d7w7AVT6d1Tye+2ZidPAx7ZwWtvx8BaJ3YI9UAqRH5l1p/qroICBr/ys1vNlcZrPNTwegL0bx9cTWnHI2r2Uii6p7dAsw33OOgq8niVhcSVB6+n3crBkDWpggbI0sAnJdHdvoqVjeL6OVsiqlwV0145R0JgJJ12cLEb0nNGtuwFOyKESNPOIug8db2llzj3r8DNsoIw4O1s/9VllCZEA459kViakWeyCKu33TMO6Tgj2CDjwyCDmnGetdm0DeCU1GC93BJYAAwVw3wGtK8IEFY3UT2o1GahbZr3W/WPtVz/bwKx2l1izJ727ttN02/2Nu3gWgav0syKdmYvKZiQ5oIaQTlOcvwWuq6yYSx7Yp/vTQPb5ulQmLKNEKDB44CpS1di7f7T1HiVHvWtstqOwsNXxT/ij09yk+KH/gN0lzxCPrzvjYi0A1y5bzg3+1cEbi87A/MX5f66vztHnsDwS6rvaCp6jvQVBB4AA34MLLDKmi9BkxlWR9Fn72HB/jMizYjTBN4vOqbz4bQYC3ivGOWBwtRQE4QjR/yANrOpZfgT9p5sGqeZGQILgtvslv1H+q6RgCR4gHUvzUd1BQhPMnIiAH18+2Zlb/93qR15Ccxps49r/Rh8EejfPSMNM02ctp2bB92b2vwTLdOTfIGVzRmgGuxYRzsUT/BfB7x4MjXmnPoI6NsHMSC8OBwEKAFiWrUe1DPgK9WVEKsI532A4sDs9Z8KtT5w8bwzluT4cfKNSg/DeW5bgb25R3sicR7oVJYFAjb+RepXN1Qh8y8tUdp0gfIjFQ7NsWiZpd/LG4woWnvS265ncKeoqMa3h1qGfq6MAXruP5gkpg4jbRNYglEZF6lmSqyc/ST/FHb5kvyLZgiYGVfLnuiBGB+8UVeV3/5DzMtpVmWCngycpRr5CY9YWN3BB81hHX5HQ6sE9khu/3xcRwqD1O8Z+PAbIUiCtI1KLHU3sMXNIDeH+OPXr7vyI2ShE1QAt+LUh8+DVavLxbgpH9FwB1tjusmPoB/H9sTmEwXCJfAsEtdehxZacxviDBfeQu3SoDw43hArCjRFg8e66Pco2S5i8v7WTQd4LkiCoVYuWYpYLBC8FuHA7wQYGr+U2TVqIPLzGRQKkMXqm4XgmLtoISfC4W+VySqIbp+rvezGZ7EirvEpfs3f4YioDSzP9VdtYNJ9QS9tn4QOcn5h8KV0AWzM9pT7q4n2Qr1+jVcG9bgF+AyIseoa8wPTUh3D1LA2yVqQqFE+Jw2Jgx7M4Snk24wauoszK4gA6gtDA8T8JBhXbV9jDxWzLif3kyGL6vzjggO/4de6UBMIWxuV/B1MfEcejEPHFqo8dI577RAAdZ01KizRLlEE6Y7Si424gBweM//DHoO6zo3o4KIdPjNBpkJrDBLBGn7ho+o3mgJw4HcvtRKw8WGSahW+QRtTbNOwJFHpP2O+CZl9F5egPtXNozwG1kP451cf8mOxNfLdrPJbpNy1gtDQZS/tPNu6/3Rs0qrurhGszCcQV1uliu3IxYs18BFaTH8/FZa4fmewLV1TrrPEhIjSm7UaHgMGqACfUw=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678962F20BE0FCB979682BC89AFAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 148ac544-f62a-4b0b-9c80-08dbe1240455
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 13:01:41.0318 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +6ZMXrah4L40RheWxmYHVR9fGPLLnLK6l8aOHKYtlRQsMW5osXrR4aG96V8mjy9nMMJcXyTmSZ76UwG3NpvxF/7r3eOYx2MUOFf6MAJefuY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7993
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/elspxxOMirew3Mv1dE52bMYcbc8>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 13:01:50 -0000

Scott Fluhrer wrote:
>We had that argument several IETF’s ago (IETF 105?), and the clear consensus of the working group was that explicit named hybrid combinations (e.g. one for ML-KEM-512 + X25519) was the way to go.

I think it is bit problematic that the discussion was so long ago before any KEM standards were even close to ready and interest in deploying quantum-resistant KEMs was limited. The cluster Deirdre mention are all non-recommended parameters that I personally don’t care about and don’t want to use. I want standards track RFCs. We will likely have FIPS standards for ML-KEM and ML-DSA before IETF 119 and it worries me that TLS WG has not even started any work (which is equally much my fault). I would like to make ML-KEM and ML-DSA mandatory to support in all 3GPP systems that use TLS, DTLS, and QUIC, which are many and growing. Current 3GPP policy is to only use “recommended” parameters.

The discussion at IETF 105 was 10 min discussion about a specific proposal that included complex client preferences and gave the impression that it significantly changes the key schedule. I don’t think any client preferences would be needed except the group order. The server can determine the most preferred PQC KEM and the most preferred ECC group and make a choice based on its own policy. The client should not advertise groups that it does not want to use. The presentation from IETF 105 gives the impression that the key schedule changes. I don’t think a split key PRF changes the key schedule, you just exchange one PRF (HKDF-Extract) with another PRF, in fact I think it was wrong to hard-code HKDF in TLS 1.3, HMAC and HKDF are constructions to mitigate the weaknesses in SHA-2.

https://datatracker.ietf.org/meeting/105/materials/slides-105-tls-sessa-hybrid-key-exchange-in-tls-13-00
https://datatracker.ietf.org/meeting/105/materials/minutes-105-tls-00

>Do we want to reopen that argument?
I guess I already did, but unless people support the idea in this thread, we don’t need to discuss it in a meeting. Registering hybrids as code points clearly work and it’s anybody’s guess how many hybrids will be registered and for how long they will be used. I think the time required for discussing which hybrids to register (or not to register) might be the biggest problem.

Cheers,
John Preuß Mattsson

From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thursday, 9 November 2023 at 12:28
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: John Mattsson <john.mattsson@ericsson.com>, Sophie Schmieg <sschmieg@google.com>, tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
There are several documents in a cluster that define new hybrid `NamedGroup`s and how those operate / are combined, abstracted away from the rest of the TLS handshake. Treating hybrid schemes (key establishment, signatures) as /separate and distinct from their component algorithms/ is a good idea.

https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-09.html
https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-03.html
https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-kyber-01.html

I am aware of multiple implementations<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3e8580b6be3fe97e&q=1&e=68363486-341d-4e6c-a177-7f30845c9f18&u=https%3A%2F%2Fgithub.com%2Faws%2Fs2n-tls%2Fissues%2F4132> and at least one deployment<https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html> of the proposed `NamedGroup` `X25519Kyber768Draft00`, so


On Thu, Nov 9, 2023 at 12:01 PM Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
We had that argument several IETF’s ago (IETF 105?), and the clear consensus of the working group was that explicit named hybrid combinations (e.g. one for ML-KEM-512 + X25519) was the way to go.

Do we want to reopen that argument?  Now, I was on the other side (and I still think it would be a better engineering decision, given the right negotiation mechanism), but if it delays actual deployment, I would prefer if we didn’t.

From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> On Behalf Of John Mattsson
Sent: Thursday, November 9, 2023 3:48 AM
To: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>>; tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Hi,

Everybody seem to agree that hybrids should be specified. Looking in my crystal ball, I predict that registering hybrids as code points will be a big mess with way too many opinions and registrations similar to the TLS 1.2 cipher suites. The more I think about it, the more I think TLS 1.3 should standardize a generic solution for combining two or more key shares.

My understanding of what would be needed:

- New "split_key_PRF" extension indicating that client supports split-key PRF.

- When "split_key_PRF" is negotiated the server may chose more than one group/key share.

      struct {
          NamedGroup selected_groups<0..2^16-1>;
      } KeyShareHelloRetryRequest;

     struct {
          KeyShareEntry server_shares<0..2^16-1>;
      } KeyShareServerHello;

- When "split_key_PRF" is negotiated HKDF-Expand(Secret, HkdfLabel, Length) is replaced by a split-key PRF(Secret1, Secret2, ... , HkdfLabel, Length)

I think the current structure that the TLS server makes the decisions on “groups” and “key shares” should be kept.

There was a short discussion earlier on the list
https://mailarchive.ietf.org/arch/msg/tls/Z-s8A0gZsRudZ9hW4VoCsNI9YUU/


Sophie Schmieg sschmieg@google.com<mailto:sschmieg@google.com> wrote:
”Our stated intention is to move to Kyber once NIST releases the standard”
“I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm.”

I agree with that.

Cheers,
John Preuß Mattsson



From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> on behalf of Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org<mailto:sschmieg=40google.com@dmarc.ietf.org>>
Date: Thursday, 9 November 2023 at 08:40
To: tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
> > On 8 Nov 2023, at 8:34, Loganaden Velvindron <loganaden@gmail.com<mailto:loganaden@gmail.com>> wrote:
> >
> > I support moving forward with hybrids as a proactively safe deployment
> > option. I think that supporting
> > only Kyber for KEX  is not enough. It would make sense to have more options.
> >
> > Google uses NTRU HRSS internally:
> > https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-906db70ac616716e&q=1&e=19fc7c2a-a02d-472c-b2ec-cc51f454c161&u=https%3A%2F%2Fcloud.google.com%2Fblog%2Fproducts%2Fidentity-security%2Fwhy-google-now-uses-post-quantum-cryptography-for-internal-comms>
> >
> > If Google decides to use this externally, how easy would it be to get
> > a codepoint for TLS ?
> As easy as writing it up in a stable document (may or may not be an Internet-draft) and asking IANA for a code point assignment.
>
> It can be done in days, if needed.
>
>  Yoav

Just to clarify a few things about our internal usage of NTRU-HRSS: This is for historic reasons.

Our stated intention is to move to Kyber once NIST releases the standard, see e.g. my talk at PQCrypto [1], where I go into some detail on this topic.
Long story short, we had to choose a candidate well before even NIST's round 3 announcement, and haven't changed since changing a ciphersuite, while relatively straightforward is not free, so we would like to avoid doing it twice in a year.
The only security consideration that went into the decision for NTRU was that we wanted to use a structured lattice scheme, with NTRU being chosen for non-security related criteria that have since materially changed.
I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm.

[1] https://www.youtube.com/watch?v=8PYYM3G7_GY


--
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email