[TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 03 January 2025 01:00 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E68C180B44 for <tls@ietfa.amsl.com>; Thu, 2 Jan 2025 17:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUUFyOEXWLTs for <tls@ietfa.amsl.com>; Thu, 2 Jan 2025 17:00:15 -0800 (PST)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A07ABC1840C4 for <tls@ietf.org>; Thu, 2 Jan 2025 17:00:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1735866011; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : content-transfer-encoding : from; bh=SgmkltdCc6IgO3O4XoK46BsqyIUxbRo4h5jav0yvDGs=; b=oegwKrd48BZZ24SNv3p9BOdRYpJfCrKdRq9zsIGvmGiWeaae7KnYvoRPjORJbWnR10VZN DudqPDdHf5ZBtFdpU1pXdCx2zvdx/Q48ngPOX0hPx+MMHY0RTfHYJoa6O77bQ0D9JEg5crV eO4ssQu/hBSjoDddodgiwhcnjjiOQjE=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 1FA6C8805EC; Fri, 03 Jan 2025 12:00:11 +1100 (AEDT)
Date: Fri, 03 Jan 2025 12:00:11 +1100
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <Z3c2mzFz--QIaK9_@chardros.imrryr.org>
References: <8413a5e4-e622-451d-a235-bee4503288bb@amongbytes.com> <GVXPR07MB96781B31B0E0B3FF02A80E46895F2@GVXPR07MB9678.eurprd07.prod.outlook.com> <CH4PR21MB4168F335FF0C9A9439DD01FC8C582@CH4PR21MB4168.namprd21.prod.outlook.com> <68911a78-57ac-4bea-b3c1-363ade364513@amongbytes.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <68911a78-57ac-4bea-b3c1-363ade364513@amongbytes.com>
Mail-Followup-To: <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: GIT34RWYR74CQTBD5JPXQWZNSNSF7XNU
X-Message-ID-Hash: GIT34RWYR74CQTBD5JPXQWZNSNSF7XNU
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/f9dlZMNr35NW_cLOejsFQEbIcWs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Dec 11, 2024 at 12:28:32AM +0000, Kris Kwiatkowski wrote:

> Following the feedback from the last TLS meeting at IETF@121, I have opened
> this PR to change the name from X25519MLKEM768 to MLKEM768X25519. This
> change aligns with draft-ietf-tls-hybrid-design-11 (section 3.2).
> https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem/pull/26

I've registered a dissenting view on the rename:

    https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem/pull/26#issuecomment-2568568522

The relevant paragraph in Section 3.2 of hybrid design:

    For a hybrid key exchange, the key_exchange field of a KeyShareEntry
    is the concatenation of the key_exchange field for each of the
    constituent algorithms. The order of shares in the concatenation
    MUST be the same as the order of algorithms indicated in the
    definition of the NamedGroup.

says nothing about naming (bikeshed colours).  It talks about the
"definition of the NamedGroup".  The name is NOT the definition, the
name is just an indentifier for that definition, the latter is specified
in the RFC that defines the group.  There's no need whatever to waste
time renaming.

    
> > 2. **Changing the order of shares in Secp256r1MLKEM768**.
> >    - The current order is based on requirements from SP800-56C-r2, and

Once the code point has been registered for some time and implemented by
multiple libraries, changing the order should result in a new codepoint,
and be associated with a new group definition and name.

-- 
    Viktor.