[TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Loganaden Velvindron <loganaden@gmail.com> Tue, 12 November 2024 05:36 UTC
Return-Path: <loganaden@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA99C16942D for <tls@ietfa.amsl.com>; Mon, 11 Nov 2024 21:36:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGn4iONT8wsh for <tls@ietfa.amsl.com>; Mon, 11 Nov 2024 21:36:40 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6F8C165518 for <tls@ietf.org>; Mon, 11 Nov 2024 21:36:39 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id 46e09a7af769-7183a3f3beaso2777905a34.1 for <tls@ietf.org>; Mon, 11 Nov 2024 21:36:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731389799; x=1731994599; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HtRCynE09WI11YnzqBASeyYy6hXQVIIfA7n8qg0kB+A=; b=mcdSSEp1zRzP+3YDUW2N81kJT4rBM0sYmIl+JmZZB7YS0Xpc+wNW1ZXVPDv1xY+0Ox qlRM2M3AkkQjCFJtZ1b43EgKIA7LLAF4L7Mmb78t9fq6y8tipf5s2ADbAVHbObwIlT67 j25m0PAUG0Pb95GjyMbeflfsqMg0aTcyOMQlRviX8XMCx2XQ7zWSxH9c27rnccfuGfNX XmwBSdIm4gl3IORNOQLu2449pwhQ7NSAd8/p9W5aPMJKoVBfYs9mSlauNXCb7bAH7v/1 RVPbNdmVf1KzsBDRjBJw4HNHswbwbs7yag1QZgWqdC75X6Amjdc3+fkLHVDOYvcdMrVS q41g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731389799; x=1731994599; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HtRCynE09WI11YnzqBASeyYy6hXQVIIfA7n8qg0kB+A=; b=BAO656cDa1NlCYbJY1H8JtO0M/GtzpMAHmwMI3cQ7FEw4SxnIHZSkhXosHY8zzDjjL PsRIlNCcu8k0KQm3Iy7ai2lEvX8gSKpNV8PUEgW6DHk1SEe1QOt6VrMEsTr8lSMjc0e5 MPVGAVSElZ5Y32tBtiOoRrO236cZQBnDsDBoIRm419+2huy0qH155sCytxulTPXul1Ft 4VqpgZaya9tAdAfPD9/MxgrvgpO0ZN72dDcCsCZ8Rk6/6zTP9o3sDzxdcjO7RX06Lj1j Iruw2SWxOYJiBuTwNbVVMqYr2ohyplVpJzm9f1L/weVbTaUOttfc2pmgyk8/Pgw8/dzK zBjw==
X-Forwarded-Encrypted: i=1; AJvYcCUrZuBYP1mjfLzJINvEFdO8Hh11AQFmhsnkjIynDmFMtwkyG2GizH/7BfUpQ83/OCmG9qk=@ietf.org
X-Gm-Message-State: AOJu0YzZHqT8UFtljOsx/gACnUsT5Fo6o2wYTStHnxDk+5TRIMk+XvJm D2bi9q7RW0BJVPPbu3EZDOZCkMlr+8vEI6LVaWKI69z9ZUlqcimmFBBzu8+Z2YsrV5AWc7kcm6S ySqKidVKSIcyQqHB1BmFc7qj46jvBkg==
X-Google-Smtp-Source: AGHT+IHX3bgPCoEb94IRo/GXswwkKbRy0Os3z42+99meACIfe44q1Si1kdm8hNlMpIFIGGPiWoWmgig/lcYiRljG80Y=
X-Received: by 2002:a05:6830:3509:b0:717:d4b6:c91f with SMTP id 46e09a7af769-71a1c21415cmr13855541a34.11.1731389799138; Mon, 11 Nov 2024 21:36:39 -0800 (PST)
MIME-Version: 1.0
References: <8413a5e4-e622-451d-a235-bee4503288bb@amongbytes.com> <122a4237-89f3-4b5a-8a31-6726cb7223ea@redhat.com> <CAFR824wpgafAUu2i0W8kmAqq50Ci1Z4gAJzFZDMjGZj12uSaLQ@mail.gmail.com> <CAMjbhoXmLD-tTU08Dbnt7bsq0pAPxE1-vYNVJPT-HZ5WTZeRNg@mail.gmail.com> <CAFR824zFA2ig_gLgGak_2QYt5uaK9Sq8ToGsbqS=x8gqQo1rOA@mail.gmail.com>
In-Reply-To: <CAFR824zFA2ig_gLgGak_2QYt5uaK9Sq8ToGsbqS=x8gqQo1rOA@mail.gmail.com>
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Tue, 12 Nov 2024 09:36:28 +0400
Message-ID: <CAOp4FwRdmq980C8DDC=EHWCqVGGe_C2j2MbFGMayfJOtSe4B5g@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 5AFNCFJC2RJF5VWL57YRJCMAWYXETG3U
X-Message-ID-Hash: 5AFNCFJC2RJF5VWL57YRJCMAWYXETG3U
X-MailFrom: loganaden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/j1qkfNmk33OZ7hgCR53TiLmYOiA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I do not support ML-KEM only. On Mon, 11 Nov 2024 at 22:03, Deirdre Connolly <durumcrustulum@gmail.com> wrote: > > OK; what about ML-KEM only? > > On Mon, Nov 11, 2024, 9:58 AM Bas Westerbaan <bas@cloudflare.com> wrote: >> >> That was before the release of FIPS 203. >> >> On Mon, 11 Nov 2024 at 18:29, Deirdre Connolly <durumcrustulum@gmail.com> wrote: >>> >>> Two meetings ago there was a consistent vibe in the room that Recommend'ing any PQ parameters, hybrid or no, was premature; has that changed? >>> >>> On Mon, Nov 11, 2024 at 9:00 AM Alicja Kario <hkario@redhat.com> wrote: >>>> >>>> On Sunday, 10 November 2024 13:38:38 CET, Kris Kwiatkowski wrote: >>>> > Hello, >>>> > >>>> > As discussed during the TLS session at IETF 121, we would like >>>> > to propose the adoption of draft-kwiatkowski-tls-ecdhe-mlkem. >>>> >>>> Very much in favour of adopting this draft. >>>> >>>> > There are a few open questions that need to be addressed: >>>> > >>>> > 1. **Alignment of NamedGroup X25519MLKEM768** with the order of >>>> > shared secrets, as per Section 3.2 of >>>> > draft-ietf-tls-hybrid-design. >>>> > - I suggest updating the name to mlkem768_x25519, while >>>> > keeping the codepoint unchanged (if that is acceptable). If >>>> > this change is made, I also recommend changing the name of >>>> > Secp256r1MLKEM768 to align with x25519. >>>> >>>> while I'd /like/ for the name to remain, I'm not opposed to changing it, >>>> especially if we make it so that the order in the name matches the order >>>> in the shares and derived secrets >>>> (I've already seen names all over the place for the codepoint, so the >>>> name isn't consistent across different implementations already...) >>>> >>>> no preference for mlkem768_x25519 vs MLKEM768X25519 vs mlkem768x25519 >>>> >>>> OTOH, if NIST doesn't change their stance, then having name represent the >>>> order, and there still being interest in hybrid at a time when P-256 and >>>> P-384 are not approved, would give a clear description for the new point, >>>> new name, with the order reversed >>>> >>>> Given how widely it is already deployed, I'm very strongly opposed to >>>> changing the codepoint or its meaning. >>>> >>>> > 2. **Changing the order of shares in Secp256r1MLKEM768**. >>>> > - The current order is based on requirements from >>>> > SP800-56C-r2, and it was chosen to facilitate the migration of >>>> > the TLSv1.3 >>>> > handshake in a flow requiring FIPS certification. Although >>>> > the switched order of shares aligns with FIPS, it necessitates >>>> > the re-certification of the cryptographic module. The >>>> > current order supports modules that are already deployed in the >>>> > field. >>>> > My (slight) personal preference would be to proceed with >>>> > adoption but switch the order only if NIST relaxes the >>>> > requirement >>>> > regarding the order of shares in SP800-56C-r2, which we >>>> > know is under discussion. Otherwise, I believe the current >>>> > choice >>>> > better supports migration to non-hybrid MLKEM, but I would >>>> > appreciate feedback on this decision (ideally from others who >>>> > have a requirement for FIPS). >>>> >>>> I'm opposed to changing the order. The way it is right now (for all three >>>> codepoints) is good. Especially speaking as a vendor intersted in FIPS >>>> compliance. >>>> >>>> Even *if* NIST relaxes the requirements, we don't know *when* that will >>>> happen. >>>> We have explicit confirmation that as long as the first algorithm is >>>> FIPS approved, then the whole SP800-56Cr2 scheme is, so I think, for FIPS >>>> compliance, we're good. >>>> >>>> If in the future it will turn out that we want a hybrid with ML-KEM-1024 >>>> first, registering it won't be too much work. >>>> (Or NIST may say that ML-KEM is fine as the second one iff the first >>>> shared secret was "formely NIST approved algorithm", we don't know.) >>>> >>>> And even without it, we already have codepoints for pure ML-KEM of all >>>> sizes. >>>> >>>> So, I think the three codepoints are the minimal set to handle: >>>> * the general Internet >>>> * FIPS compliance >>>> * Common Criteria Protection Profile compliance >>>> >>>> with as little friction to roll them out as possible. >>>> >>>> I think this is the main thing we should have in mind: we want people >>>> using PQC key exchanges as soon as possible as widely as possible. >>>> >>>> > 3. **Setting RECOMMENDED=Y for Secp256r1MLKEM768**. >>>> >>>> Since all three (secp256r1, secp384r1, and x25519) are RECOMMENDED=Y, >>>> I think we should set "Y" for those three algorithms too. >>>> >>>> > Additionally, we plan to register Secp384r1MLKEM1024, but I >>>> > believe this should only be done once we reach a consensus >>>> > regarding >>>> > point 2. >>>> > >>>> > Thank you! >>>> >>>> -- >>>> Regards, >>>> Alicja (nee Hubert) Kario >>>> Principal Quality Engineer, RHEL Crypto team >>>> Web: www.cz.redhat.com >>>> Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic >>>> >>>> _______________________________________________ >>>> TLS mailing list -- tls@ietf.org >>>> To unsubscribe send an email to tls-leave@ietf.org >>> >>> _______________________________________________ >>> TLS mailing list -- tls@ietf.org >>> To unsubscribe send an email to tls-leave@ietf.org > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] Post-quantum hybrid ECDHE-MLKEM Key Agreeme… Kris Kwiatkowski
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Alicja Kario
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Deirdre Connolly
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Bas Westerbaan
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Deirdre Connolly
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Alicja Kario
- [TLS] Re: [EXT] Re: Post-quantum hybrid ECDHE-MLK… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Andrei Popov
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Loganaden Velvindron
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… John Mattsson
- [TLS] Re: Post-quantum hybrid ECDHE-MLKEM Key Agr… Salz, Rich
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Kris Kwiatkowski
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Bas Westerbaan
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… David Benjamin
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Kris Kwiatkowski
- [TLS] Re: [EXTERNAL] Re: Post-quantum hybrid ECDH… Viktor Dukhovni