[TLS] Next steps for key share prediction
David Benjamin <davidben@chromium.org> Thu, 07 March 2024 22:55 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 050FCC14F6BC for <tls@ietfa.amsl.com>; Thu, 7 Mar 2024 14:55:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.257
X-Spam-Level:
X-Spam-Status: No, score=-14.257 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3tqghAmzvCa for <tls@ietfa.amsl.com>; Thu, 7 Mar 2024 14:55:48 -0800 (PST)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37B80C14F681 for <tls@ietf.org>; Thu, 7 Mar 2024 14:55:48 -0800 (PST)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-6096ff3e4abso3239497b3.0 for <tls@ietf.org>; Thu, 07 Mar 2024 14:55:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709852147; x=1710456947; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=VsazeI8USd9W0MnhybXDAbU6WdmhwaqIbSyYBCTxehc=; b=BM4uP0AWYjV9lC8W4S5KWHuXlC6ORgIIVRT/FXUtsw6D4MER/Yjwa8y6jrGSXNQJBk Css5M7/o8pMp/dziL9mDuKcSjL1UCbw2v1HXYR6SgLo7vsmFeX1++i/gmf4JmkDl6KaJ v+gK86Xz4WDuhtKasMEbOOBb2yAvv35pTP9UE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709852147; x=1710456947; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=VsazeI8USd9W0MnhybXDAbU6WdmhwaqIbSyYBCTxehc=; b=RqNNDEMhYoSl98Qp4rnJ4H9IjcHUoGVtOpl0fbKhkKemHgRKKjqA7RPGg/m35yaK7M lLI6hlGgbXFdW52YeY05WGZjJtPA258CeZh1qKqHk2YWvT8sKtQ60uLB5sjQ17u4WWlx Wilp0FxfzmAL9YDe84gyeA3BmXCCfBr6OMuGPxcDTZUNxUOwLxVR5pa4nKLlpCqsYbmD IxZ5C48N99DgLPxptBUvdma9PEavtGQyRlSUa3gRVJWzIysIwR1Ay1ZTNkfS9PQ1XmTW 93nbGGVzZm3EUne4XXdfrVMrWeszIcgVz06/iTk+dTyT1enbntP2Go3MvvPhoiuoU7B9 COxg==
X-Gm-Message-State: AOJu0YyUpjAJ+hFYf4S0AAZHg1r+rkVtRvTgETcI//MVvYKZDLH/ge1F N5jy2sQL+odSt/iV/QnAYCc8uFKVoKiRaWSF9qfTiTfaEINEra970ZVAxK2vqKUckiBmeQkIQCM Qy+ok81mXE1/7CG7KnTvuaS/6XvmAINULGOLB6owArPiNj1hZc5o=
X-Google-Smtp-Source: AGHT+IEWS5b+/iBd3q6FFG1Lw5z0y/CpsBghuInK6Rde6X/5hyawEigxYxpkprt3CzRtBPfo6YpROnSqZvC4Mwe/w8Q=
X-Received: by 2002:a81:7c88:0:b0:608:b629:6281 with SMTP id x130-20020a817c88000000b00608b6296281mr18055565ywc.24.1709852146628; Thu, 07 Mar 2024 14:55:46 -0800 (PST)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Thu, 07 Mar 2024 17:55:29 -0500
Message-ID: <CAF8qwaB6OZr=Cw7aGyo+9EEo_wQ5Da7KF=3CSEttWqyHQn=+fw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d273c9061319f973"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iy70Uik3e7bXnntsD42VzG3hiAQ>
Subject: [TLS] Next steps for key share prediction
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 22:55:52 -0000
Hi all, With the excitement about, sometime in the far future, possibly transitioning from a hybrid, or to a to-be-developed better PQ algorithm, I thought it would be a good time to remind folks that, right now, *we have no way to effectively transition between PQ-sized KEMs at all*. At IETF 118, we discussed draft-davidben-tls-key-share-prediction, which aims to address this. For a refresher, here are some links: https://davidben.github.io/tls-key-share-prediction/draft-davidben-tls-key-share-prediction.html https://datatracker.ietf.org/meeting/118/materials/slides-118-tls-key-share-prediction-00 (Apologies, I forgot to cut a draft-01 with some of the outstanding changes in the GitHub, so the link above is probably better than draft-00.) If I recall, the outcome from IETF 118 was two-fold: First, we'd clarify in rfc8446bis that the "key_share first" selection algorithm is not quite what you want. This was done in https://github.com/tlswg/tls13-spec/pull/1331 Second, there was some discussion over whether what's in the draft is the best way to resolve a hypothetical future transition, or if there was another formulation. I followed up with folks briefly offline afterwards, but an alternative never came to fruition. Since we don't have another solution yet, I'd suggest we move forward with what's in the draft as a starting point. (Or if this email inspires folks to come up with a better solution, even better! :-D) In particular, whatever the rfc8446bis guidance is, there are still TLS implementations out there with the problematic selection algorithm. Concretely, OpenSSL's selection algorithm is incompatible with this kind of transition. See https://github.com/openssl/openssl/issues/22203 Given that, I don't see a clear way to avoid *some* way to separate the old behavior (which impacts the existing groups) from the new behavior. The draft proposes to do it by keying on the codepoint, and doing our future selves a favor by ensuring that the current generation of PQ codepoints are ready for this. That's still the best solution I see right now for this situation. Thoughts? David
- [TLS] Next steps for key share prediction David Benjamin
- Re: [TLS] Next steps for key share prediction Watson Ladd
- Re: [TLS] Next steps for key share prediction David Benjamin
- Re: [TLS] [EXTERNAL] Re: Next steps for key share… Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Next steps for key share… David Benjamin
- Re: [TLS] [EXTERNAL] Re: Next steps for key share… Loganaden Velvindron