Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design

Douglas Stebila <dstebila@gmail.com> Thu, 13 February 2020 11:39 UTC

Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC9F1200C3 for <tls@ietfa.amsl.com>; Thu, 13 Feb 2020 03:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEoA0tbfDlhN for <tls@ietfa.amsl.com>; Thu, 13 Feb 2020 03:39:51 -0800 (PST)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2EB6120043 for <tls@ietf.org>; Thu, 13 Feb 2020 03:39:50 -0800 (PST)
Received: by mail-qk1-x736.google.com with SMTP id c188so5316901qkg.4 for <tls@ietf.org>; Thu, 13 Feb 2020 03:39:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z2dkq6FgfDFvqYBZvPkhP5tjGl8MKQtxlODb6krYQsA=; b=NW3SVdwkRMAbYlBUdLXePouJhyJvs/KdopjLyOc4IOG1gD6DxN/Ph7asbh86UExyEZ 3K+qLMamFYB0l3OtU9m7+70fG40tCbbEnerg7aSPe3iONocq4Myo9wMRWZwfrltscJBy CGv2aT/6hD7pfXVTAjiU6rjRkOEguR4SkG8CWVtWsp6v6EWEoFWGXmotUdmwpRm3UhCj wcrX+DAhQ6NN3mYsegbSZPMnn7qlMOdfYSlkIFGLD+oKWL7r6LYHE94bippcTz8z9+hZ uN14go+0amxR6D+L6pJR9ZCLybn9lLBVHyYoIsvE9jtmnmD5M12OY2daTdDxz4r6ybCs 3vew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z2dkq6FgfDFvqYBZvPkhP5tjGl8MKQtxlODb6krYQsA=; b=hzSdptSyagbwerWECH1HG3cAq5ou/uQ5SY+G2pBaHbp27RbMctDzIXEKKchHkucTe8 AuOW7UgLiGTz8gnPVjPZeYmsqITO19TssHECOhL/kNOZ6/2g61waJLZCimmauqrio50B dmuTcgn4f/QfaxKD3OAwzu6PB0Fj0g6EQp7b3EmWh02MVOfywJOEareuenfzaluAkZsP zdsBVWt2FbhUvb4cWGySkZatMFd/myYO1m1B3RKZc0sC65kpe4qdyLoY4ixWIO1ha3dv G3EG6/aTXmpmMRXJfYrQUkG760mFq3/zFM55bFQORTlwY8/cmaDCo9QSBeq5bw57KmG+ cEFw==
X-Gm-Message-State: APjAAAWtevh1/3cjMbotMq+sL43ZI0qeKdgcJ2v1iq3yZnsHMYs6o9Xb vUe0eYs/XFT3q+lo65F449HvUS5i
X-Google-Smtp-Source: APXvYqziYnK52rgIi8ApCvSXlTiIYZ6RarLvY7MfRif7v4ah1a/98O+5I6X6jQEkn9U5b7jfwqHwDA==
X-Received: by 2002:ae9:e8d2:: with SMTP id a201mr4890552qkg.47.1581593989941; Thu, 13 Feb 2020 03:39:49 -0800 (PST)
Received: from laptop-picard.coleridge (CPE881fa12cf37b-CMa84e3fc93e50.cpe.net.cable.rogers.com. [99.250.203.26]) by smtp.gmail.com with ESMTPSA id l19sm1149447qkl.3.2020.02.13.03.39.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Feb 2020 03:39:49 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <284685f0-8b19-4870-aef6-573809827091@www.fastmail.com>
Date: Thu, 13 Feb 2020 06:39:46 -0500
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B488EE8F-670B-472C-9213-2DBBA8E89040@gmail.com>
References: <CAFBh+SRAJAbviyrcQM2PjztumAH565i4-ui28OQ-pCJE9nePJg@mail.gmail.com> <284685f0-8b19-4870-aef6-573809827091@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jyLrz6cPeq24QlOY_ZnnAH2ogoY>
Subject: Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 11:39:52 -0000

Hi Martin,

Thanks for the suggestions.  Indeed, happy to incorporate changes in framing, tone, etc. to better reflect the purpose of the document.

> At a high level, I think that this would be easier if it were more clearly framed as *recommendations*, especially when it comes to the format of key shares and the input secret.  One advantage of the macro-level design is that the format is can be specified on a case-by-case basis.  For instance, variable-length values might be length-prefixed; fixed size values don't need to be.  That might avoid having to directly specify a single format. 
> 
> [...]
> 
> The concatenation approach is definitely my preferred approach, but the inconsistency between the design for key shares and secrets is curious.  This design assumes that shares are length-delimited; secrets are not.  The latter implies that the `ss` needs to be fixed length for a given algorithm (both the PQ and classical parts), but `ct`/`pk` does not.  I can guess at why, but when you can avoid the question, then I think you should.  That is, in favour of more generic recommendations on structure.

There are examples of current PQ candidates that have variable sized ct / pk: SIKE has compressed and uncompressed variants, which are mathematically interoperable and would result in the same shared secret, but trade smaller communication for more computation.

To the best of my knowledge, none of the current PQ candidates have variable sized shared secrets.

We did have some debate internally when preparing the draft about whether shared secrets should have length encoding or not, and in the end decided not, despite the apparent inconsistency in design.

Douglas