[TLS] Re: I-D Action: draft-ietf-tls-hybrid-design-15.txt
Loganaden Velvindron <loganaden@gmail.com> Thu, 04 September 2025 06:52 UTC
Return-Path: <loganaden@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A84175D2B013 for <tls@mail2.ietf.org>; Wed, 3 Sep 2025 23:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UM2GWHc9wpWk for <tls@mail2.ietf.org>; Wed, 3 Sep 2025 23:52:10 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 120F05D2B00C for <tls@ietf.org>; Wed, 3 Sep 2025 23:52:10 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-323266d6f57so782056a91.0 for <tls@ietf.org>; Wed, 03 Sep 2025 23:52:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756968729; x=1757573529; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xRU9ALpIpR6SeVH9yzk6LWFAOcIxoSpvJxsR/wskUjc=; b=VGNh8BPouQkdqGtPy1TYoUGMh2/DvdPcN8sQLLAOdtNJs/JpFpvIWRYLzlU3/Acbi/ Eo/ckpo2rflnlrXIXyR/oIL0DZPvPp9j4rNvgsrsfSs3/maMXqj1ST1TYYr5fJed7zsF blpKAGZpdXX6PxdYvc70AIWQC+xBVgG9hICIaW2fzzHUKAkmgQVLy38o5FQQ/m+RlmNM p4Z3Ss4lceEN5iPrLPD6cSKk1NHZnu1fXgY0s/h1zBWwZU3W1aTaiG+8CEyOx3CxD7n/ zfVupuS3j6otV7zEqsA9l/QoOiucpB5JFoVcjJXTWFZdoGBt82/S1KLaNb/noyoBPu53 nnKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756968729; x=1757573529; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xRU9ALpIpR6SeVH9yzk6LWFAOcIxoSpvJxsR/wskUjc=; b=G+k2yPV4xCFeEcZ8CIsb8TFJ288XkgMjYoI6+c6i3/d4FF3jyJbyN3fhGfMLYCu5c7 w+6W1DTZnbf8YocXX4sDZVRFHnv1sOYy5ZGS54ejfrqgIlj7LEhsKEroquWP5Red0ELI 2odfoQru4P+9yyxwXh/R59ZwFGiAE9wwxiG4c7hCOShWALlU9cw6i2feUYYFl3lIwdG9 BK2Xs6WqlXjzijOq8FhwMYK3zbseEL5JnwavQmCN4Oah49RqM+jwIDqQ4G7WHxFY3CLd L/1RQfO8EkY/2zZlZVR/PlSrNsUJSWf/2F17BVKTk7oPG2K/uaUlWFafPnQ6GeHite/v s7Gw==
X-Gm-Message-State: AOJu0Yxgz8naXg4Ewny9n4OVkQBajuG941rHiMFu2qfCpc7YYIHS61CM iuIbvm0SYd/DXcvyOZ0JLzR59TgRXg31hlkQJ6uQPtFaDhkp2f9vd9Rzy+bOqK4bzxy2j1hv1CQ sX9oC8jYMcdXFD39N1TxapLjwzPXhdoiQZG8e
X-Gm-Gg: ASbGnctULIYVWYC1CQcZweHpXRM9VmoUCjCWo74BMv4tiQMFT56P68JN4hbYvvwdCB4 r67Ikyu6lgbSdP6era8DTPuBKhtCWs7WFTKeKrq4B+d5xFb54i0PKNuh3EAROrVTta1xF1T0aVZ z4GNDPQfwAhg8xxoAblyA0FT48YjDy6MVbpYB99shiLjV0e/6yvcAybs0Bl4Y+d0v5yRftd+OCw u8obX226jU/ouM43E4DdbAYSMf237cBPCNmafjJzL4r2UA=
X-Google-Smtp-Source: AGHT+IEFerOrA0Y0vdu9BP0aMe979IXg6k+c8tM6VV3RoxwRh1SSMYc2Y3vnR1qDYzRiGgVxGRaE8WoRbGrR+thQUSk=
X-Received: by 2002:a17:90b:1646:b0:32b:97ff:c95c with SMTP id 98e67ed59e1d1-32b97ffd2edmr1093676a91.21.1756968728866; Wed, 03 Sep 2025 23:52:08 -0700 (PDT)
MIME-Version: 1.0
References: <175690475844.2093391.10369333528706642393@dt-datatracker-67876766b7-bkzgr> <PA6PR08MB10707E86354F91C0BDA4DE4E7D300A@PA6PR08MB10707.eurprd08.prod.outlook.com>
In-Reply-To: <PA6PR08MB10707E86354F91C0BDA4DE4E7D300A@PA6PR08MB10707.eurprd08.prod.outlook.com>
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Thu, 04 Sep 2025 10:51:57 +0400
X-Gm-Features: Ac12FXy9EgXTPBD0B-4u1wEQLRapcUVHLigbkhf7Ow6JpXgfgqyIqDfZ6RYqaMM
Message-ID: <CAOp4FwQ5cjN8qZDRa4r9f4_7-9EV2uMWnnUYRQidbAMwF8ZKyw@mail.gmail.com>
To: Yaakov Stein <ystein=40allot.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: LLZBV7MXH7W4YMF4FEYETEIZS5YWXPI7
X-Message-ID-Hash: LLZBV7MXH7W4YMF4FEYETEIZS5YWXPI7
X-MailFrom: loganaden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: I-D Action: draft-ietf-tls-hybrid-design-15.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/etvNF_7gdweV0iCDsa4voLl7OX0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Thu, 4 Sept 2025 at 10:40, Yaakov Stein <ystein=40allot.com@dmarc.ietf.org> wrote: > > Just a few notes on the latest version of the hybrid-design draft. > > Section 1.2 introduces a very general definition of hybrid key exchange, > with traditional+PQC as merely one example. > This begs the question of what other possibilities there may be > (and of what, precisely, is meant by "different cryptographic assumptions" - > would RSA+ECC or ML-KEM+HQC be considered hybrids under this definition?). > I suggest giving an additional example, such as QKD+PQC (which is actually used in some circles). > > I don't understand the rationale behind the terminology "next generation" in this document. > Next generation crypto need not be PQ. > If I come up with a completely new 1-way function, which has advantages over existing schemes > but is still a special case of the hidden subgroup problem, > then this is NG but not PQ. > > Section 1.3 uses the term "retroactive decryption" which is usually (and in draft-ietf-pquip-pqc-engineers) called HNDL. > The term is fine, but the more usual one should at least be mentioned. > > Section 1.5 introduces the key-share size issue as a sub-issue of latency, > but it could alternatively be considered a performance issue. > Or even better is an issue unto itself. > Actually, latency is determined by the computational complexity and the key sizes > and is thus not a separate issue at all. > > Section 4 states "all defined parameter sets for ML-KEM [NIST-FIPS-203] have public > keys and ciphertexts that fall within the TLS constraints." > It is worthwhile mentioning that ML-KEM and its hybrids > can expand CHs that were previously a single packet into multiple packets, > and hence disrupt the functionality of middleboxes that make assumptions about CHs. > I made a PR about this some time ago, but I missed the deadline. Should I revive the PR ? > Y(J)S > > -----Original Message----- > From: internet-drafts@ietf.org <internet-drafts@ietf.org> > Sent: Wednesday, September 3, 2025 4:06 PM > To: i-d-announce@ietf.org > Cc: tls@ietf.org > Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-15.txt > > External Email: Be cautious do not click links or open attachments unless you recognize the sender and know the content is safe > > Internet-Draft draft-ietf-tls-hybrid-design-15.txt is now available. It is a work item of the Transport Layer Security (TLS) WG of the IETF. > > Title: Hybrid key exchange in TLS 1.3 > Authors: Douglas Stebila > Scott Fluhrer > Shay Gueron > Name: draft-ietf-tls-hybrid-design-15.txt > Pages: 23 > Dates: 2025-09-03 > > Abstract: > > Hybrid key exchange refers to using multiple key exchange algorithms > simultaneously and combining the result with the goal of providing > security even if a way is found to defeat the encryption for all but > one of the component algorithms. It is motivated by transition to > post-quantum cryptography. This document provides a construction for > hybrid key exchange in the Transport Layer Security (TLS) protocol > version 1.3. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-15.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-15 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you. > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-15… internet-drafts
- [TLS] Re: I-D Action: draft-ietf-tls-hybrid-desig… Yaakov Stein
- [TLS] Re: I-D Action: draft-ietf-tls-hybrid-desig… Loganaden Velvindron