IETF Logo Mail Archive

[TLS] Re: ML-DSA in TLS

Alicja Kario <hkario@redhat.com> Mon, 18 November 2024 13:53 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BADAC151525 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 05:53:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.247
X-Spam-Level:
X-Spam-Status: No, score=-2.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dlj_VYs_-zur for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 05:53:52 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C621C151079 for <tls@ietf.org>; Mon, 18 Nov 2024 05:53:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1731938030; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O0ZUOhnkQaVTZAwaN+8abPTjS6DgpI19EdAAwQGyUTU=; b=Z03FPdKdNuIvVnlfGnPgHexjmhYtCcWwXOHedkiibpfCpFthO0uq5k9n5yQfB6RxokF2HH CzxsttpDtoLV6jNn5GaSwhakTDCkRwJEH6e2Ut8JxOLKwL5hsl/G8ILrlkuXQ9fKhzQAlK VzCUkUbzUxpDi/FY79ZbyM+ZKYUPsnY=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-618-rxWW74ZeMsa7lSwSAO4hdA-1; Mon, 18 Nov 2024 08:53:49 -0500
X-MC-Unique: rxWW74ZeMsa7lSwSAO4hdA-1
X-Mimecast-MFC-AGG-ID: rxWW74ZeMsa7lSwSAO4hdA
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-3822ec50b60so1461212f8f.0 for <tls@ietf.org>; Mon, 18 Nov 2024 05:53:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731938027; x=1732542827; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eO+3P4qKQoLcKJkZIajBSrIflWMh0DA9oF2PahJfahg=; b=dmoBH8Qub7cO5zS2NfKc+rxJhtzeCGp7nKzL70PK9t7Sw9Fek7qD919CX+zGY+6XP8 a1ktKfH9Ml7e5ALT9VLKs7G2zHN8QbWWVlElQkqkB7eEjGgpyhiEMcTryzqRCu9AhUZQ OL/l2Eodqa010LlmbG4CNorRtGR8Sbh0ZcjB8ydboZe5eevPHEhXCbzlBXpBTgM+TeR6 aUlQgTMIn9VtaOgy3b+WsRNf3JGy8v3DPpbo2X8lTn9jeeJQZhFH5Z1qHtPvIHggw2rB IVqyOtz9xtVtObAcWSXkRsizLtnlN6J0qS+BuZn5g+BB3rU10USbvxq9weqdpJjtLQU0 NCHQ==
X-Gm-Message-State: AOJu0YxV7gLgzbtIlbAb3TksCYOiI719Ydveufwpdpa+laL5gOX8747A cpA7rJEQuMAKXHcqw2eNV7t/Vy/UepxE1BxViyvLOQqXHHU4tUCiDri2ZaGZv1ZQx58UQk38sIJ OyD5WYuacm98X9jxBgt0TqS8xpcxRz0DoK5A7Kzf7sAugIX5Q
X-Received: by 2002:a5d:64a4:0:b0:382:40ef:4319 with SMTP id ffacd0b85a97d-38240ef43fcmr3305507f8f.55.1731938027333; Mon, 18 Nov 2024 05:53:47 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFlY1nOkwtnsprIRy3wOp7qYIkefxjZJw8sAkhVwPZ5nap2kY34mvgywzdpZVDnE6YPeSughw==
X-Received: by 2002:a5d:64a4:0:b0:382:40ef:4319 with SMTP id ffacd0b85a97d-38240ef43fcmr3305493f8f.55.1731938026955; Mon, 18 Nov 2024 05:53:46 -0800 (PST)
Received: from localhost (ip-94-112-13-93.bb.vodafone.cz. [94.112.13.93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3823c1480b1sm6542767f8f.47.2024.11.18.05.53.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Nov 2024 05:53:46 -0800 (PST)
From: Alicja Kario <hkario@redhat.com>
To: "D. J. Bernstein" <djb@cr.yp.to>
Date: Mon, 18 Nov 2024 14:53:45 +0100
MIME-Version: 1.0
Message-ID: <9c978730-68d9-4a3f-9d3a-8e71a87ad719@redhat.com>
In-Reply-To: <20241116085703.138618.qmail@cr.yp.to>
References: <20241116085703.138618.qmail@cr.yp.to>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.14; xcb; Linux; Fedora release 39 (Thirty Nine)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: Lbz1Q5rWDQxswvvv53AByZX8zdrQJCLgBQzFovOq6bo_1731938028
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: UYFMJKJK2OI5SEREYO22LB3T7DK6LTY2
X-Message-ID-Hash: UYFMJKJK2OI5SEREYO22LB3T7DK6LTY2
X-MailFrom: hkario@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jc2MWTWRc0wnHRxW7fzyxeFKnKw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Answering to the broader thread: when I said "uncontroversial" I was 
thinking
more about _how_ it should be done, not _if_ it should be used.

Answer to email below follows.

On Saturday, 16 November 2024 09:57:03 CET, D. J. Bernstein wrote:
> Watson Ladd writes:
>> Authentication is not like encryption.
>
> I presume that you're alluding to the following process: if the PQ
> signature system is broken, we revert to ECC signatures, and then the
> attacker doesn't benefit from forging the no-longer-accepted signatures
> (whereas we can't stop attackers from breaking previous ciphertexts).
>
> This process leaves computers completely exposed until they've reverted
> to ECC. Sure, some environments are fast to make changes, but some
> aren't. For comparison, using ECC+PQ in the first place avoids this
> security failure, and will make many people less hesitant to upgrade.
>
> The revert-in-case-of-disaster process also leaves computers completely
> exposed to PQ attacks that haven't come to the public's attention yet.
> Out of the 69 round-1 submissions to NIST, 33 have been publicly broken
> by now (see https://cr.yp.to/papers.html#pqsrc) with some of the
> attacks not published for years; is it so hard to imagine that
> large-scale attackers found some attacks before the public did?
>
> More broadly, conflating "no attacks have been published" with "no
> attacks are being carried out" is unjustified, an extreme form of
> availability bias. Occasionally there are leaks from attackers
> illustrating how much damage this mistake has done. Example:
>
>    
> https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

All good points, ones I agree with, but I think those are arguments
against wide deployment of pure ML-DSA, not against describing how
the algorithms should be implemented on technical level.

The reality is that we have very tight deadlines from CNSA2.0, with 
customers
actively asking for post-quantum support. For those for whom those 
requirements
apply, use of ML-DSA is not only uncontroversial, but mandatory.

And personally, I'd prefer them using ML-DSA than LMS or XMSS...

For the wider Internet, where we want fail-safe options, yes, hybrids are
probably better. Unfortunately, I don't think we have a rough consensus in
LAMPS on how hybrid signatures should be done just yet, and without that,
we can't standardise it for TLS.

(that being said, I don't think ML-DSA will be completely broken 
over-night,
I suspect it will be weakened over time, so migration off of it won't need
to happen with high agility... but only time will tell how it will play 
out)
-- 
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

v2.29.0 | Report a Bug | By Email | System Status