Re: [TLS] PQC key exchange sizes
Rob Sayre <sayrer@gmail.com> Wed, 27 July 2022 20:54 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70ECFC15A731 for <tls@ietfa.amsl.com>; Wed, 27 Jul 2022 13:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRKzCo4T3_SO for <tls@ietfa.amsl.com>; Wed, 27 Jul 2022 13:54:15 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF27C14F732 for <tls@ietf.org>; Wed, 27 Jul 2022 13:54:15 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id i13so13831430edj.11 for <tls@ietf.org>; Wed, 27 Jul 2022 13:54:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L8ee7r05z4PCehwzahiP0jQcdfeTAKtlfc6H73Mq9uo=; b=gUSPhqGoYUTo3jMabppjsxXfqLK/7nVqMyWDV4jaoXHW5nb416zl2cE6f/cbe9yVDG neVPLVC8JRc0kWtgB816YbNqesyL6pk0SFsI4/vCZ+qq8AWehDyhFWa0QO9CAXM9S4JY oFpULzypi97Y5a9mA7caf0T147UvbtbWddkn9PFOarqlrey3+6Tye5DZAK/ZzoWx4oC5 +HBSFDGu0/3Niu7aH3Ss71mwENgM7s3FavfdL9rRgDz7TJBHOJTfNBG5QgjWQuAQ6G9s oSKpGiie5tpc9ANvJmbne1GCqFhje6Cfb18MNioHe1mVSIuCThqbpNnRJ+YXNxhWJzLv GPKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L8ee7r05z4PCehwzahiP0jQcdfeTAKtlfc6H73Mq9uo=; b=tpb786cbQ8nzvUBsfSLsBtGKpkgaC+bFGJ2eayXGCVoVr4gcnEcOB8yGQXItloXPCK sLPgCAP4PRxYPQSREeQUMk3fZQKcYJBxtPJpKLXQISuIQ6fD3p7olauC0B6QfjwFB/kL 1ALm5xMOBzt1G/qpiwgHrpGwFcA42k9g2DbDYWfq8PiNKUx9D2QiV6PMIRkkhQWg/Zme 5aNnvDDooWYK8TKkqXVADHuNGfKTpNj1SoEXO01MOpk9tl4+Gq/4szEft742Po8iaEyz Lzu2f6mw+jzfF7oJfuDFApLqo6d6MA+UKcvGDPbiXxPyvPLUT57gWef81rXBGm4BecBq 2rzA==
X-Gm-Message-State: AJIora9r9gY0ER0ZOONtHaARK5r6I4RFhIWKEmLrG3ZU9bUgVOsB/to3 /HxHmcy5hpWa7LTohu+oJMLXekJdTbVFc1gPysE9PFy8+cA=
X-Google-Smtp-Source: AGRyM1sZsMARp/G66uTJnoWnnTafgZLfpTyaW9uJHsF/w+tU4ctURlhKBRnlZ9McYUm8qXPmzC/pp+k9t48UH1EdGow=
X-Received: by 2002:a05:6402:1d51:b0:41f:cf6c:35a5 with SMTP id dz17-20020a0564021d5100b0041fcf6c35a5mr25620522edb.25.1658955253259; Wed, 27 Jul 2022 13:54:13 -0700 (PDT)
MIME-Version: 1.0
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <YuABORXSaes9Wqwo@LK-Perkele-VII2.locald> <a643450d5fdb40cf8af3f5b96cdbd922@amazon.com> <YuFOm9bUWkPBOBw3@LK-Perkele-VII2.locald> <0bebb6b80caa4ad6804b94bb74959675@amazon.com> <CAMjbhoVALmeJPokkFvVe2R3ePCc82MzzQf0P=nL0FxnWM8DfZQ@mail.gmail.com>
In-Reply-To: <CAMjbhoVALmeJPokkFvVe2R3ePCc82MzzQf0P=nL0FxnWM8DfZQ@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 27 Jul 2022 13:54:02 -0700
Message-ID: <CAChr6SxnJ2oDk3YRZ+LmLn2=gwVhqWjRgPWOmQDyDN63LyNvNA@mail.gmail.com>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Cc: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000091a01405e4cf9e20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/leGR2eTvNVxk4Tj3NmSeFs_VHs8>
Subject: Re: [TLS] PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 20:54:19 -0000
Hi, There's also data from the old Chrome/Cloudflare experiment, in the discussion section: https://blog.cloudflare.com/the-tls-post-quantum-experiment/ I /think/ the discussion says that sending handshake messages somewhat above the MTU didn't matter much, except on the slowest connections. They do hesitate to settle on a reason for that. As for compatibility in general, it seems premature to worry about. If an implementation adds PQC support, and finds it doesn't work for underlying fragmentation reasons, they'll surely have to fix that too. thanks, Rob On Wed, Jul 27, 2022 at 12:06 PM Bas Westerbaan <bas= 40cloudflare.com@dmarc.ietf.org> wrote: > On the QUIC side, there is the "*Q*uantum Ready" interop test: > > > https://docs.google.com/spreadsheets/d/1D0tW89vOoaScs3IY9RGC0UesWGAwE6xyLk0l4JtvTVg/edit#gid=438405370 > > > > On Wed, Jul 27, 2022 at 8:57 PM Kampanakis, Panos <kpanos= > 40amazon.com@dmarc.ietf.org> wrote: > >> Gotcha. This is a reasonable explanation for a potential problem, but I >> would also like to see experimental proof that DTLS implementation X, Y, Z >> have the problem. TLS implementations don't deal with big ClientHellos >> today so we could assume they would have a problem, but when tested they do >> OK for the most part. >> >> >> -----Original Message----- >> From: TLS <tls-bounces@ietf.org> On Behalf Of Ilari Liusvaara >> Sent: Wednesday, July 27, 2022 10:42 AM >> To: <tls@ietf.org> <tls@ietf.org> >> Subject: RE: [EXTERNAL][TLS] PQC key exchange sizes >> >> CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments unless you can confirm the sender and know >> the content is safe. >> >> >> >> On Wed, Jul 27, 2022 at 02:27:12AM +0000, Kampanakis, Panos wrote: >> > Hi Ilari, >> > >> > > - DTLS-level fragmentation. There are buggy implementations that >> > > break if one tries this. >> > >> > DTLS servers have been fragmenting and sending cert chains that don’t >> > fit in the MTU for a long time. Is this buggy on the TLS client side? >> >> These problems are specific to fragmenting Client Hello. Handling >> fragmented DTLS Client Hello is different from handling fragmented DTLS >> Certificate (and even more so in DTLS 1.3). I think DTLS specification just >> pretends both cases are the same. They are not. >> >> >> QUIC implementations could have similar issues with multiple initial >> packets, but operating QUIC with fast failure-independent fallback would >> make failures soft. >> >> >> There is the general principle that if some protocol feature is not used >> in the wild, it tends to break, even if required part of the protocol. >> Either by implementation being poorly tested and buggy, assuming the >> feature does not exist, or being missing entierely. >> Combine this with interop failures having outsize impact and old versions >> sticking around far longer than desriable. And I do not think fragmented >> Client Hellos in DTLS or multiple initials in QUIC are seen much. >> >> >> One trick with DTLS would be sending client hello with no key shares. >> Causes extra round-trip, but any server that selects PQC causing >> fragmentation would presumably be capable of handling that. >> >> >> >> -Ilari >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] PQC key exchange sizes Thom Wiggers
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Stephen Farrell
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Bas Westerbaan
- Re: [TLS] PQC key exchange sizes Rob Sayre
- Re: [TLS] PQC key exchange sizes Sofía Celi
- [TLS] Before we PQC... Re: PQC key exchange sizes Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Peter Gutmann
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Bas Westerbaan
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Robert Relyea
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Thom Wiggers