IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Thom Wiggers <thom@thomwiggers.nl> Thu, 09 November 2023 15:18 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D24C18E552 for <tls@ietfa.amsl.com>; Thu, 9 Nov 2023 07:18:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.005
X-Spam-Level:
X-Spam-Status: No, score=-7.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1KcoSXni-bY for <tls@ietfa.amsl.com>; Thu, 9 Nov 2023 07:18:32 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46E5C18E54E for <tls@ietf.org>; Thu, 9 Nov 2023 07:18:32 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-53de0d1dc46so1603063a12.3 for <tls@ietf.org>; Thu, 09 Nov 2023 07:18:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1699543111; x=1700147911; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=/f6iqBimClBqWlPeZukwtEf/rcYvGhrD+L/6sOs/POo=; b=IDKZfmELRmuAPcOWk00MT838hka1cUZgneob0BXkMvkIOsXRTBT3XRUiS1xJyoB0LU ZP44/OLkquvjkwLfSORVWkEuJjRC0DM8jzy3R3y9dkZfdIt9eIqx8LQhY5zDZuvbVmn6 +P0zo/3BwPAUy2nwc3iDebh2USeRRmxXvFmGc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699543111; x=1700147911; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/f6iqBimClBqWlPeZukwtEf/rcYvGhrD+L/6sOs/POo=; b=hnMSRkg5/1c6z+Fd3vKLjfT+0Cx6BeA67frbrYLP5/NxUwLus6xeKbB48xr755i3+U pfHNJGtCRSrDLad3+5/nKhX60aHgDIJCNNpp8sAYsE1uD+6YPUAj8FeFHw4c6pG2Eh3G hmVbPwnHN4JoN2aV+sQ14MokPKDeXYwLVbHHBSCKQNEZseBwhBxUj04LlryN8MThyy6O wTU2IUBhCf4PuqhwIoOBIh1ReX4emXVwS40H61QkCGtGi3z9DGJy7EHSEPKRR/CdViuL s4IhjVA3CR6uWP2Hp+dGOz2ZKyzNgtN/j/IzjF+HSFH8frEsZFhmgAUh2NltB8PUaDW5 OsKg==
X-Gm-Message-State: AOJu0YzAvZy1iuv3jMb44aLoA09KrvdMmlmYULQUFDmJZHdKFmBBVyrV DfSpUu1Yzb6vbryJznohx20NIUjhdFmWqT0chQw2OQ==
X-Google-Smtp-Source: AGHT+IEvtc5O4108RMnzppLfG5NapDuRkvK4sonV/EnT+JIqFjXIvXZQDsJZsJcybYXehJBSxBS0rg==
X-Received: by 2002:a50:8702:0:b0:540:4f18:7faf with SMTP id i2-20020a508702000000b005404f187fafmr4075756edb.13.1699543110884; Thu, 09 Nov 2023 07:18:30 -0800 (PST)
Received: from smtpclient.apple (2a02-a461-ea84-0-7dca-fdd3-cf01-17d5.fixed6.kpn.net. [2a02:a461:ea84:0:7dca:fdd3:cf01:17d5]) by smtp.gmail.com with ESMTPSA id j2-20020a50ed02000000b0053e8f1f79afsm8204485eds.30.2023.11.09.07.18.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 07:18:30 -0800 (PST)
From: Thom Wiggers <thom@thomwiggers.nl>
Message-Id: <40D40378-B246-475D-BAF1-07FA7425E73F@thomwiggers.nl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1E91F596-39F9-4774-A646-256B1A2A36A2"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.200.91.1.1\))
Date: Thu, 09 Nov 2023 16:18:19 +0100
In-Reply-To: <CH0PR11MB5444463A58964CEB0F91E7F2C1AFA@CH0PR11MB5444.namprd11.prod.outlook.com>
Cc: "tls@ietf.org" <tls@ietf.org>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
References: <CAEEbLAZECSX+LvjMgA+kUpkybs-S92L2Te58Y35Pytu2CA2DhA@mail.gmail.com> <GVXPR07MB96784CF76D3DE39BE67D72F289AFA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CH0PR11MB5444463A58964CEB0F91E7F2C1AFA@CH0PR11MB5444.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.200.91.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pSNa6qU2mlELK2KFdVMatHKQROQ>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 15:18:37 -0000

Hi,

I remembered that this discussion was somewhat summarised in https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-03#appendix-B, which might be helpful.

Cheers,

Thom


> Op 9 nov 2023, om 12:00 heeft Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org> het volgende geschreven:
> 
> We had that argument several IETF’s ago (IETF 105?), and the clear consensus of the working group was that explicit named hybrid combinations (e.g. one for ML-KEM-512 + X25519) was the way to go.
>  
> Do we want to reopen that argument?  Now, I was on the other side (and I still think it would be a better engineering decision, given the right negotiation mechanism), but if it delays actual deployment, I would prefer if we didn’t.
>  
> From: TLS <tls-bounces@ietf.org> On Behalf Of John Mattsson
> Sent: Thursday, November 9, 2023 3:48 AM
> To: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>; tls@ietf.org
> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
>  
> Hi,
>  
> Everybody seem to agree that hybrids should be specified. Looking in my crystal ball, I predict that registering hybrids as code points will be a big mess with way too many opinions and registrations similar to the TLS 1.2 cipher suites. The more I think about it, the more I think TLS 1.3 should standardize a generic solution for combining two or more key shares.
>  
> My understanding of what would be needed:
>  
> - New "split_key_PRF" extension indicating that client supports split-key PRF.
>  
> - When "split_key_PRF" is negotiated the server may chose more than one group/key share.
>  
>       struct {
>           NamedGroup selected_groups<0..2^16-1>;
>       } KeyShareHelloRetryRequest;
>  
>      struct {
>           KeyShareEntry server_shares<0..2^16-1>;
>       } KeyShareServerHello;
>  
> - When "split_key_PRF" is negotiated HKDF-Expand(Secret, HkdfLabel, Length) is replaced by a split-key PRF(Secret1, Secret2, ... , HkdfLabel, Length)
>  
> I think the current structure that the TLS server makes the decisions on “groups” and “key shares” should be kept.
>  
> There was a short discussion earlier on the list
> https://mailarchive.ietf.org/arch/msg/tls/Z-s8A0gZsRudZ9hW4VoCsNI9YUU/
>  
>  
> Sophie Schmieg sschmieg@google.com <mailto:sschmieg@google.com> wrote:
> ”Our stated intention is to move to Kyber once NIST releases the standard”
> “I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm.”
>  
> I agree with that. 
>  
> Cheers,
> John Preuß Mattsson
>  
>  
>  
> From: TLS <tls-bounces@ietf.org <mailto:tls-bounces@ietf.org>> on behalf of Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org <mailto:sschmieg=40google.com@dmarc.ietf.org>>
> Date: Thursday, 9 November 2023 at 08:40
> To: tls@ietf.org <mailto:tls@ietf.org> <tls@ietf.org <mailto:tls@ietf.org>>
> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
> 
> > > On 8 Nov 2023, at 8:34, Loganaden Velvindron <loganaden@gmail.com <mailto:loganaden@gmail.com>> wrote:
> > > 
> > > I support moving forward with hybrids as a proactively safe deployment
> > > option. I think that supporting
> > > only Kyber for KEX  is not enough. It would make sense to have more options.
> > > 
> > > Google uses NTRU HRSS internally:
> > > https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-906db70ac616716e&q=1&e=19fc7c2a-a02d-472c-b2ec-cc51f454c161&u=https%3A%2F%2Fcloud.google.com%2Fblog%2Fproducts%2Fidentity-security%2Fwhy-google-now-uses-post-quantum-cryptography-for-internal-comms>
> > > 
> > > If Google decides to use this externally, how easy would it be to get
> > > a codepoint for TLS ?
> > As easy as writing it up in a stable document (may or may not be an Internet-draft) and asking IANA for a code point assignment.
> > 
> > It can be done in days, if needed.
> > 
> >  Yoav
> 
> Just to clarify a few things about our internal usage of NTRU-HRSS: This is for historic reasons.
> 
> Our stated intention is to move to Kyber once NIST releases the standard, see e.g. my talk at PQCrypto [1], where I go into some detail on this topic.
> Long story short, we had to choose a candidate well before even NIST's round 3 announcement, and haven't changed since changing a ciphersuite, while relatively straightforward is not free, so we would like to avoid doing it twice in a year.
> The only security consideration that went into the decision for NTRU was that we wanted to use a structured lattice scheme, with NTRU being chosen for non-security related criteria that have since materially changed.
> I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm.
>  
> [1] https://www.youtube.com/watch?v=8PYYM3G7_GY
> 
> 
> --
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email