IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Deirdre Connolly <durumcrustulum@gmail.com> Mon, 06 November 2023 16:49 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E21CC1CAFE8 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 08:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ET15ElmmsYen for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 08:49:34 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E11FFC18FCC3 for <tls@ietf.org>; Mon, 6 Nov 2023 08:49:02 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-5437269a661so11302903a12.0 for <tls@ietf.org>; Mon, 06 Nov 2023 08:49:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699289341; x=1699894141; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=loAQPq9SbmIG2ol3/0g5P4TwlUT5JvvXqSqYCW07Br8=; b=OL9/d2/qRZI2KgK7clgeL4ZtAUZJPXLuA5IniiaiZeVuP24g4tt+se2/33bIa7tjsm Tbi3B8334dBgH10xWroYhosSVmbmi7OWbFg1K1VS7kgS0ILN+FmX34C86UyZlAz2fC56 z/RSJBqUO2Py+2zAV7DrpEqAi9ikHDy6fG4l5wKGgTKUcHeLD2xQt571tYmgqPqdmbLZ g7/7rmu7CL6Vp18ugWU7cUytg0aqjeqZzFhxDsO4SNo/OXpzkK4SNXJbav0JgFjkXzP2 5nDjvRQfbg6ji9Qgt3HWBeFiV9N2EFQ2jt7MzLPdRp8S9+vvH0Ib3WQVUuIX+255fTSm lecA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699289341; x=1699894141; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=loAQPq9SbmIG2ol3/0g5P4TwlUT5JvvXqSqYCW07Br8=; b=HSCrG7NJ8MjhnZy3RtgxgP/LqrIKM/HsfIegB7VOyW0eXve0NnNmmubnHpTTZ//MeN kM39ESc9Fj1jocCDJdAUZMuhejoJFSOn1EIh1Neo7dUmSg/RNt/FkuxoZSTzSqeW1kNF /L0Ud2bKzZAmaC+inSnFe84cN1fPp1nx54ALvzZZLkX7bVCdtngnrU9QzSPcJtgVoPPY GMH2mrPSqD2s9vCaJUPBNJsnj7IEIsmztgvNqfvXsYWmT2RutSnqqsSrGDtynUsDOeKp Jxh6MwiuMh53e2jZTkNEB79EWrfbKN7Lgb5fN+IcTguBqqbMeQPhSF30vKuuIeJ8uyo8 hkBg==
X-Gm-Message-State: AOJu0YwFf4zJp7EI/loKJVt2dRiIPy+5CDLzNCSFR1njAxdzCNDsDGcM R6gSbjcXQiNj/X90Be7gAtQ5ilN6vk4pCTJlhNRaX+jE9cujNbJRBxs=
X-Google-Smtp-Source: AGHT+IFFLeyN2Out0QARitlgOdoNoSlPmg1aahy+LFrYB/CYdxVWyqHkwiNWgmf513PyOd3polq9XG09e93Gy4hRl48=
X-Received: by 2002:aa7:d5da:0:b0:530:8942:e830 with SMTP id d26-20020aa7d5da000000b005308942e830mr69347eds.2.1699289340987; Mon, 06 Nov 2023 08:49:00 -0800 (PST)
MIME-Version: 1.0
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com> <SN7PR14MB64928D0240F21868FEBB951683AAA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAMjbhoUmVdezZbziArzYR9xbKVd3Ld-xcbhz20WB=qPjqKVhQQ@mail.gmail.com> <SN7PR14MB64922E7B96A48B388DA957B583AAA@SN7PR14MB6492.namprd14.prod.outlook.com> <EBF4C6F9-BA8C-41DE-9616-E2AC464BB19C@thomwiggers.nl> <CACsn0cnSwMyP4o5LFkFu5nr-qkmuRA1S9S=1Grexr-yyM2=h+w@mail.gmail.com>
In-Reply-To: <CACsn0cnSwMyP4o5LFkFu5nr-qkmuRA1S9S=1Grexr-yyM2=h+w@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Mon, 06 Nov 2023 11:48:24 -0500
Message-ID: <CAFR824wOKkBWO1aCYAcK2H2PW-w5iSXiiLjGH0zBSk79HNX5xQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Thom Wiggers <thom@thomwiggers.nl>, Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008a4edf06097ea1a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rDT0Q8ileppkq3GxH1_cZsOVxAU>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 16:49:38 -0000

https://datatracker.ietf.org/doc/html/draft-tls-westerbaan-xyber768d00-03
defines the `X25519Kyber768Draft00` `NamedGroup` as 0x6399
https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-kyber-01
defines the `SecP256r1Kyber768Draft00` `NamedGroup` as 0x639A


On Mon, Nov 6, 2023 at 11:42 AM Watson Ladd <watsonbladd@gmail.com> wrote:

> I'm most interested in Level I which I think is what the current
> browser deployments have targeted. Higher security levels are much
> less relevant at least for now, and I think the platforms will likely
> look different.
>
> I think ML-KEM-768 codepoint and a hybrid one make sense to grab now:
> AFAIK it's easy to do. Happy to contribute to drafts, but I think we
> have some floating around.
>
> KEMTLS is a great idea, but I think for now we can make do without:
> it's ok for the PKI to evolve slower.
>
> On Mon, Nov 6, 2023 at 5:32 AM Thom Wiggers <thom@thomwiggers.nl> wrote:
> >
> > Hi,
> >
> > Op 6 nov 2023, om 14:24 heeft Tim Hollebeek <tim.hollebeek=
> 40digicert.com@dmarc.ietf.org> het volgende geschreven:
> >
> > I’m fine if the cocktail napkin says “we’ll either do A or B, we’re
> still figuring that out”.
> >
> >
> > I’m not sure if we will be able to say this as strictly as “A xor B”, we
> might need to do A and B in different environments. CNSA 2.0’s requirement
> of level-V parameters results in very different behaviour than what we see
> at NIST level I, for example. The platforms on which we deploy things are
> also subject to wildly varying constraints.
> >
> > Cheers,
> >
> > Thom
> >
> >
> >
> >
> >
> > What I’m trying to avoid is the situation where everyone has a different
> notional quantum-safe TLS design in their heads, but nobody realizes it
> because nobody has bothered to try to write down the details, even at a
> very high level.
> >
> > If it changes in the future due to new events or analysis, that’s ok too.
> >
> > -Tim
> >
> > From: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
> > Sent: Monday, November 6, 2023 1:14 PM
> > To: Tim Hollebeek <tim.hollebeek@digicert.com>
> > Cc: John Mattsson <john.mattsson@ericsson.com>; TLS@ietf.org
> > Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant
> algorithms?
> >
> >
> >
> > (3)-(5) are exactly the hard problems I’ve been thinking a lot about
> lately.  I’d actually be tempted to say that AuthKEM vs signatures is
> something we should figure out ASAP.  I read AuthKEM again this morning,
> and it has a lot of attractive features, but I’m not quite sure what the
> right answer is yet.
> >
> >
> > I don't think we can settle the future of PQ authentication in TLS just
> yet — there are still many unknowns. To name a few:
> >
> > 1. What signature schemes are on the horizon? MAYO [1] from the NIST
> signatures on-ramp would be great, if it doesn't turn out to be broken.
> >
> > 2. How will the confidence in existing schemes develop? AuthKEM will
> look different depending on whether it can use Kyber-512 or Kyber-1024.
> Also, will it replace Dilithium5 or Dilithium2?
> >
> > 3. What other higher level changes is the ecosystem able to adopt? For
> instance Merkle Tree Certs [2].
> >
> > These are all hard questions, and although I do not believe we can
> answer them now, we should be thinking about them right now. I think we
> should have different pots on the fire, so to say.
> >
> > Best,
> >
> >  Bas
> >
> > [1] https://pqmayo.org/params-times/
> > [2]
> https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
>
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email