IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Fri, 15 March 2024 20:35 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A26AC14F690 for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 13:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZMjjAZMqbki for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 13:35:09 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5CD7C14F610 for <tls@ietf.org>; Fri, 15 Mar 2024 13:35:09 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-33e1878e357so1005842f8f.3 for <tls@ietf.org>; Fri, 15 Mar 2024 13:35:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710534908; x=1711139708; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=kRINEPXrL4vzqgh/JnDFVh9949wz3xOvWzKZssX3RnM=; b=MDZ3qOgE5poWBqhhhHF/odfRRrpBkZcSkzSOm9kIw0Q2+YbJ7nIxHe8MOX+E4UKm7w t27JvUKxSUoa8YP69SaCApTDqQxyiyiVp4wrXnPtJ1K1T+Gp32ezTDJ9+hqR3nDpQsuu 14tlVFjfXof4TDMKjj+C7cBQW0O0Dd3JWXzh0utVR7OWwDQs2/MlGHK3g1Nho5qLh1Gr KmmppasRHKrdMQHeeKsNXAKvcHz6lp9ieytKWy2Nc8tPgVLclZA6Hi95pYnoDjAp9RcI 73zucM6nPHSynSwPSzkdcIQdsi2/gK+gPr/JSwDVk/xi9dnHBl1ynqawmeX2EQPD2Z7C Yuzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710534908; x=1711139708; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kRINEPXrL4vzqgh/JnDFVh9949wz3xOvWzKZssX3RnM=; b=nvk4nN+L5iyhvq/IyPm+4FKM13lvOsFVj3Sqi4YtNsYXnWf6TFJ72aNDZN7mR0rI7N WmXXcT+hji3CbtCNM2Q7IPcuyyKEFLjXJOxNzsNBYOc1/t0V728pXvLMQupzqaGlE3yh 38qlQ/l4n7ptaKqwP6j6gaOSQOgWdgvUcVas/XcGJo4DaFMinaeWi0FJFKZyf8mKZlMY MsSuMj3qtC+B6m0IzkfJN5ZJnes0Y+zFxt6gD0GHZW+Ax7oNTAMyvUoWFwC7QMEqEfz+ gUWlQ+IWeVXTEHsM5GSPwYh2DUWkXzPLNzMqhk3fOSG3UOfjQ7pImGjqVIM1gl+NRcZN Ak1w==
X-Forwarded-Encrypted: i=1; AJvYcCUA7B4FYCh8NiPq09+I26ilMUvV19IHZ5ylGixwdZS/0kUOvx/kPuoHtqlsTruQwPQX8axJyZji3Srcd5A=
X-Gm-Message-State: AOJu0Yz8NyXDGqvKhWoneDA6DcnibmYHVkxoF95e9IsOjOLEIdAUi8hx /YAvjAbQSfq85RKZVN2gR5hilYogazRavhOFKoj9BArTWj20yUY8XM1bttk9hS/JG9+wktfUgHQ RrX/OxxK7+rr7ltFyNdngt7c8hMPhVlex
X-Google-Smtp-Source: AGHT+IH0hEDuO6R5yIpDIC9J2M8R9BdDlz/6BI0BqAWXidIvmzb4F7JrfsNwVtEG1wkzPTNy5scrHpoQEX5jgvagtDM=
X-Received: by 2002:a05:6000:8e:b0:33e:6366:5f2a with SMTP id m14-20020a056000008e00b0033e63665f2amr3831644wrx.5.1710534907997; Fri, 15 Mar 2024 13:35:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CABcZeBO2sobjXJzW_FNXhfU_vspsr+9YLfcH5zG_JHTX65Os=Q@mail.gmail.com> <CAFR824xo9bL3S_r-GWSkEPhxTQ5yKiDmR4dxwy1LKq0rDCJQOQ@mail.gmail.com>
In-Reply-To: <CAFR824xo9bL3S_r-GWSkEPhxTQ5yKiDmR4dxwy1LKq0rDCJQOQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 15 Mar 2024 13:34:56 -0700
Message-ID: <CACsn0ckwOWzPdCM9PxgZoro1Ru7krN_7YUBnvTBdzKXZpDMy9Q@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Rebecca Guthrie <rmguthr=40uwe.nsa.gov@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pHHkYv3LDWlDp7FcLMG98VHUPg4>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 20:35:10 -0000

On Wed, Mar 13, 2024 at 6:39 PM Deirdre Connolly
<durumcrustulum@gmail.com> wrote:
>
> Some considerations for ML-KEM alone (or another trusted PQ-only key agreement) are mainly looking towards the desired next step after hybrid key agreement, and instead of leaving that fuzzy and far off, talking about it in the present. This is also motivated by -hybrid-design allowing several traditional NamedGroups to be negotiated on their own, as hybrid NamedGroups with ML-KEM (although currently both are specified as Kyber but those will change), but no option to negotiate the other side of the hybrid alone, the PQ algorithm alone, Shaking out all the negotiation decisions is desirable as well as 'drawing the rest of the owl' for the pure PQ option implied in the negotiation (are we going to copy the same ~1000 bytes for the PQ and hybrid name groups, when sharing an ephemeral KEM keypair?).

Yes please. Otherwise we are going to face extreme pressure to support
a cartesian product, and consequent API degeneration. To be clear i
think each group should be independent.

>
> For CNSA 2.0, it is cited not as a compatibility _requirement_ of TLS, but a note that a non-trivial segment of users of standard TLS that have been traditionally compliant will not be in a few years, and they will come knocking anyway. This is trying to skate where the puck is going.
>
> But also, the fact that CNSA 2.0 explicitly requires ML-KEM _only_ key agreement in the next ~6-9 years is a strong vote of confidence in any protocol doing this at all, so, TLS wouldn't be out on a limb to support this, basically.
>
> I don't have a strong opinion on whether this should be Recommended = Y.

I'm happy with letting the market decide: we can reevaluate later.

Sincerely,
Watson


--
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email