IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

"Kampanakis, Panos" <kpanos@amazon.com> Wed, 17 August 2022 20:37 UTC

Return-Path: <prvs=22163a36c=kpanos@amazon.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617D8C152577 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 13:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.177
X-Spam-Level:
X-Spam-Status: No, score=-15.177 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlhzQI1NT5dD for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 13:37:33 -0700 (PDT)
Received: from smtp-fw-80007.amazon.com (smtp-fw-80007.amazon.com [99.78.197.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F29F9C1524CD for <tls@ietf.org>; Wed, 17 Aug 2022 13:37:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1660768653; x=1692304653; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=ZKhgcAWGcWqUujfddpJbNGf6Vn6P9cv+xJpu68ohbAM=; b=RkGI2rsorfZPc7VKmEsAXLfjZZCB9Rm0+w/nS4SMkQowX0MZtLl8Q2SF SldwUhcPZp2Iv4JoG3yB/18fv32i2+Ca6TWZxaOWUhqd6HDztbF3wvgHz gbxBGs1g6SFwFgW198N7mloESzJxaN0Ga5th1SC7TxMxrPuJgDCcl+gi5 k=;
X-IronPort-AV: E=Sophos;i="5.93,244,1654560000"; d="scan'208,217";a="120446121"
Thread-Topic: [TLS] WGLC for draft-ietf-tls-hybrid-design
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO email-inbound-relay-iad-1a-a31e1d63.us-east-1.amazon.com) ([10.25.36.214]) by smtp-border-fw-80007.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Aug 2022 20:37:13 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1a-a31e1d63.us-east-1.amazon.com (Postfix) with ESMTPS id C82D8942BC; Wed, 17 Aug 2022 20:37:11 +0000 (UTC)
Received: from EX19D001ANA003.ant.amazon.com (10.37.240.188) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Wed, 17 Aug 2022 20:37:11 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA003.ant.amazon.com (10.37.240.188) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.12; Wed, 17 Aug 2022 20:37:10 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::6054:a5f0:5f79:c120]) by EX19D001ANA001.ant.amazon.com ([fe80::6054:a5f0:5f79:c120%5]) with mapi id 15.02.1118.012; Wed, 17 Aug 2022 20:37:09 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: "tls@ietf.org" <tls@ietf.org>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Index: AQHYXCjhHK9b5yL3LU2YYbdtj2pFOa0IKnwAgABwz4CAo5rgAIABX6KAgAaK4QCAAAbegIAADwUQgAACYeA=
Date: Wed, 17 Aug 2022 20:37:09 +0000
Message-ID: <1fb6ed30db094e888543f3011d8e8abc@amazon.com>
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <Yve/S5OoKZMnUjNz@LK-Perkele-VII2.locald> <CH0PR11MB54447BA50DA9DA02F6DA2511C16A9@CH0PR11MB5444.namprd11.prod.outlook.com> <680a267a-6cd1-cf70-8f01-c31d9e823025@amongbytes.com> <8d84f215ceec4e0c8da26d57f42ac61c@amazon.com>
In-Reply-To: <8d84f215ceec4e0c8da26d57f42ac61c@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.106.179.21]
Content-Type: multipart/alternative; boundary="_000_1fb6ed30db094e888543f3011d8e8abcamazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jKG2YeYXThXx0gSDxrQu_xcYkTs>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 20:37:35 -0000

I forgot to suggest to add a paragraph in the Sec Considerations section about Kyber-512.

Kyber-512 offers a CoreSVP hardness of ~120 bits of security which is a little lower than it should. The Kyber submission refines the CoreSVP cost by using sieving cost simulations and claims that the gate and memory cost is ~2^150 and ~2^90 approximately which they argue is better than AES. I think it would be worth to call out the CoreSVP hardness and the refined estimate for Kyber-512 in the Sec Considerations section.



From: Kampanakis, Panos
Sent: Wednesday, August 17, 2022 4:26 PM
To: 'Kris Kwiatkowski' <kris@amongbytes.com>; tls@ietf.org
Subject: RE: [EXTERNAL][TLS] WGLC for draft-ietf-tls-hybrid-design

+1 on the 3 proposed by Scott and P256+Kyber512 proposed by Kris.

From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> On Behalf Of Kris Kwiatkowski
Sent: Wednesday, August 17, 2022 3:31 PM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: RE: [EXTERNAL][TLS] WGLC for draft-ietf-tls-hybrid-design


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



I support those choices, but would also add P256+Kyber512.
* (1) same reason as below (by Scott)
* (2) to be able to declare security of generated keys in FIPS-mode for
      _both_ - classical and post-quantum schemes (once Kyber is standardized).
After double-checking with NIST today, currently there is no clear plan for
updating SP 800-56A with X25519 (opposite to SP 800-186).

Kind regards,
Kris
On 8/17/22 20:06, Scott Fluhrer (sfluhrer) wrote:

So that we get an initial answer to this (so we can put it into the draft - of course, we can debate what's in the draft...)



Illari suggested:



X25519+Kyber768

P384+Kyber768



Well, I would suggest adding in



X25519+Kyber512



For those situations where we need to limit the message size (perhaps DTLS and QUIC).



Is the working group happy with that?



-----Original Message-----

From: TLS <tls-bounces@ietf.org><mailto:tls-bounces@ietf.org> On Behalf Of Ilari Liusvaara

Sent: Saturday, August 13, 2022 11:12 AM

To: TLS@ietf.org<mailto:TLS@ietf.org>

Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design



On Fri, Aug 12, 2022 at 06:13:38PM +0000, Scott Fluhrer (sfluhrer) wrote:

Again, this is late, however Stephen did ask this to be discussed in the

working group, so here we go:



-----Original Message-----

From: TLS <tls-bounces@ietf.org><mailto:tls-bounces@ietf.org> On Behalf Of Stephen Farrell

Sent: Saturday, April 30, 2022 11:49 AM

To: Ilari Liusvaara <ilariliusvaara@welho.com><mailto:ilariliusvaara@welho.com>; TLS@ietf.org<mailto:TLS@ietf.org>

Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design





Hiya,



On 30/04/2022 10:05, Ilari Liusvaara wrote:

On Sat, Apr 30, 2022 at 01:24:58AM +0100, Stephen Farrell wrote:

- section 5: IMO all combined values here need to have

recommended == "N" in IANA registries for a while and that needs

to be in this draft before it even gets parked. Regardless of

whether or not the WG agree with me on that, I think the current

text is missing stuff in this section and don't recall the WG

discussing that



I think that having recommended = Y for any combined algorithm

requires NIST final spec PQ part and recommended = Y for the

classical part (which allows things like x25519 to be the classical part).



That is, using latest spec for NISTPQC winner is not enough. This

impiles recommended = Y for combined algorithm is some years out

at the very least.



I agree, and something like the above points ought be stated in the

draft after discussion in the WG.



Section 5 is 'IANA considerations', and would be where we would list

the various supported hybrids, which we don’t at the moment.



Well, if we were to discuss some suggested hybrids (and we now know

the NIST selection), I would suggest these possibilities:



- X25519 + Kyber512

- P256 + Kyber512

- X448 + Kyber768

- P384 + Kyber768



I would take:



X25519+Kyber768

P384+Kyber768



The reason for taking Kyber768 is because the CRYSTALS team recommends

it. The reason for taking P384 is because it is CNSA-approved, so folks that

need CNSA can use that.



Of course, that is likely to bust packet size limits. I do not think that is an

issue in TLS, but DTLS and QUIC might be another matter entierely (in theory

DTLS and QUIC can handle it just fine, practice might be another matter

entierely. And if such problems are there, it is good to know about those...

This stuff is experimental).





Of course, it's possible that NIST will tweak the definition of Kyber;

that's just a possibility we'll need to live with (and wouldn't change

what hybrid combinations we would initially define)



I would think such changes would just mean the interim post-quantum kex is

not compatible with the final one. Not that big of deal, there are tens of

thoursands of free codepoints. If an implementation  needs both, it can

probably share vast majority of the code.







-Ilari



_______________________________________________

TLS mailing list

TLS@ietf.org<mailto:TLS@ietf.org>

https://www.ietf.org/mailman/listinfo/tls

_______________________________________________

TLS mailing list

TLS@ietf.org<mailto:TLS@ietf.org>

https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email