IETF Logo Mail Archive

[TLS] Re: ML-DSA in TLS

"D. J. Bernstein" <djb@cr.yp.to> Mon, 18 November 2024 22:25 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C79C14F6FF for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 14:25:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXJ6vxANW01s for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 14:25:04 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 9EAB7C14F6A5 for <tls@ietf.org>; Mon, 18 Nov 2024 14:25:04 -0800 (PST)
Received: (qmail 496 invoked by uid 1010); 18 Nov 2024 22:25:03 -0000
Received: from unknown (unknown) by unknown with QMTP; 18 Nov 2024 22:25:03 -0000
Received: (qmail 321834 invoked by uid 1000); 18 Nov 2024 22:24:51 -0000
Date: Mon, 18 Nov 2024 22:24:51 -0000
Message-ID: <20241118222451.321832.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <9c978730-68d9-4a3f-9d3a-8e71a87ad719@redhat.com>
Message-ID-Hash: 5U3J2NMLWTDJ6C3IXWNMCXOBELIFAVGI
X-Message-ID-Hash: 5U3J2NMLWTDJ6C3IXWNMCXOBELIFAVGI
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jKPMnMUDLgKdiPLM8q94cEYeFpU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Alicja Kario writes:
> Unfortunately, I don't think we have a rough consensus in
> LAMPS on how hybrid signatures should be done just yet, and without that,
> we can't standardise it for TLS.

It's trivial to build a signature system where each signature has,
internally, an Ed25519 signature followed by whichever PQ signature,
of course with the verifier requiring both signatures to pass.

Nothing is stopping TLS from going ahead with this straightforward form
of ECC+PQ for signatures, analogously to draft-ietf-tls-hybrid-design
for KEMs. This eliminates the delay issue. Compared to just PQ in TLS,
focusing on ECC+PQ in TLS will do a better job of encouraging upgrades.

There are other combiner options that hash more inputs in the hope of
protecting more protocols. A unified combiner that hashes all available
inputs, as in Chempat for KEMs or

   https://mailarchive.ietf.org/arch/msg/cfrg/LdvasJBpseekZtQkQF1nuPPDH_s/

for signatures, turns out to have very little cost in context (as an
analogy, remember how the world didn't come to an end when TLS moved to
hashing the transcript?), but there are still other combiner proposals
that skimp on hash calls. So, sure, waiting for those discussions to
settle would produce a delay---but I don't see how that's an argument
for doing PQ instead of ECC+PQ.

---D. J. Bernstein

v2.29.0 | Report a Bug | By Email | System Status