IETF Logo Mail Archive

[TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-agreement

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 15 December 2024 08:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87B7BC169401 for <tls@ietfa.amsl.com>; Sun, 15 Dec 2024 00:59:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Scm3D31ca12Q for <tls@ietfa.amsl.com>; Sun, 15 Dec 2024 00:59:04 -0800 (PST)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00983C151990 for <tls@ietf.org>; Sun, 15 Dec 2024 00:59:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1734253139; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : content-transfer-encoding : from; bh=Lo8eZ0xxLNqoHPFDGPu782m7RnuQaUT5PVQUuxuzMN4=; b=ARNFKpwzR5J4g7kg/HjVlqykmIc/gO+7R3nPwLA9UtnqOieG5OhxTk9nkUjVN6/4c+qXz 5O7CVX3zaJ3w/R0O/1F0b+zmySFyJrOCoOTKnXbF59CvAWMsQKfitst/W7D5+kdxOH3l9Fp cG+lic5FtVgxzM+LmReQkpZdPs1RRQM=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 23464863AA1; Sun, 15 Dec 2024 19:58:59 +1100 (AEDT)
Date: Sun, 15 Dec 2024 19:58:59 +1100
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <Z16aU0Xoh2EgPbvl@chardros.imrryr.org>
References: <f1ed0ccf-ee9c-46d7-8347-19c9360515bd@cs.tcd.ie> <7D7610F3-747D-4FC2-9B44-E3B74E36A9FC@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <7D7610F3-747D-4FC2-9B44-E3B74E36A9FC@ll.mit.edu>
Mail-Followup-To: <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 5VW3NMQA6DLXL3CIPXDTRYN4H3NENKIZ
X-Message-ID-Hash: 5VW3NMQA6DLXL3CIPXDTRYN4H3NENKIZ
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-agreement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iO0U82Nzg-PQ0pkGwzFhuLpSSeI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Sun, Dec 15, 2024 at 02:33:34AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:

> It is obvious that pure PQ KEMs are the future, when CRQC becomes
> “more” real. Some respected cryptographers are convinced that it is
> the optimal solution for now as well.  Some other respected
> cryptographers insist on combining PQ KEM with a classic one, at least
> until <CRQC arrives? They’re become convinced somehow that ML-KEM is
> invulnerable to classic attack?>.

NO, this isn't about the *theory*, it's about the *practice*.  In theory
a strong PQ algorithm is also a strong classical algorithm.  In
practice, it may well be too novel to place all one's eggs in one
basket.

> Both camps based their conclusions on solid reasoning (some of which I
> disagree with, but all of which I respect), and are well-aware of the
> arguments of the opposing group. Their positions are not of ignorance,
> and are extremely unlikely to change. 
> 
> Thus, I don’t think there’s a way to bring these two camps together,
> nor do I see a need for that. Let TLS offer both hybrid and pure KEMs.
> And be done with it.  —

This may well be the outcome, I was merely voicing dissent on the threat
of banning Dan from the list.

-- 
    Viktor.

And yes, it is rather tricky to implement Kyber/ML-KEM without side
channels introduced by the devil's latest optimising compilers.  The
"clangover" attack is quite resilient, and today's work arounds are no
guarantee that the issue won't come back when the devil's compiler's get
even more evil.

v2.29.0 | Report a Bug | By Email | System Status