IETF Logo Mail Archive

[TLS] Re: WG Adoption Call for Post-Quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3

Andrew Scott <andrew@aes.id.au> Tue, 18 March 2025 05:01 UTC

Return-Path: <andrew@aes.id.au>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C051ED84713 for <tls@mail2.ietf.org>; Mon, 17 Mar 2025 22:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=aes.id.au
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpZ2D2XpswCI for <tls@mail2.ietf.org>; Mon, 17 Mar 2025 22:01:33 -0700 (PDT)
Received: from h1.out1.mxs.au (h1.out1.mxs.au [110.232.143.235]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 620D2D84685 for <tls@ietf.org>; Mon, 17 Mar 2025 22:01:03 -0700 (PDT)
Received: from s213.syd3.hostingplatform.net.au (s213.syd3.hostingplatform.net.au [103.27.34.14]) by out1.mxs.au (Halon) with ESMTPS (TLSv1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 id fa694af7-03b5-11f0-abc6-00163c39b365 for <tls@ietf.org>; Tue, 18 Mar 2025 16:00:57 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aes.id.au; s=default; h=Content-Type:To:Subject:Message-ID:Date:From:MIME-Version:Sender :Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hlG8CuOOVynS5Knv6YZM7wrrJlXkc1iPRo5iOBI09fc=; b=yNXmpbse3IAAiVwMqEhJQle5sY 17DQMfjC2bpE47Ljoe8U9knX4/6/RBy87gRpldzKk4CqQA/SbXAR+lJ75xBaB1C6x3WG3zG9tVfle UUkkxs+hYvFMHB823/g3dDfW3KOv92MK9KaYlvjpAGDMe7+yv9Rpe/CHdmH0Zm0vLR4jVSqvPm30S AhYBqZssjtRKBEAZWxBuPs+54wlNrMjl7j7+v74WULPp2W56T/uoMEdruLl5MImpjRk22TcCvKz0I ovYBTdFHXONCVD5HXQEDikp0Qq1ZNSmUTahdaWqNGidaMfzGLDWfHDTa3erTqKtvxu+ZWSog5qW2G O9pLDX+g==;
Received: from mail-wr1-f52.google.com ([209.85.221.52]:42281) by s213.syd3.hostingplatform.net.au with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.1) (envelope-from <andrew@aes.id.au>) id 1tuP4S-00000000aCu-46Ku for tls@ietf.org; Tue, 18 Mar 2025 16:00:57 +1100
Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-3913fdd003bso2527720f8f.1 for <tls@ietf.org>; Mon, 17 Mar 2025 22:00:56 -0700 (PDT)
X-Gm-Message-State: AOJu0YzPAlbe+vw+Watu0I2JU7M0AAJW8+AW7ZPiDhYA0od3DgooS2Jq qw8CnQ1nUlCYQqUCzE2TH5fLtwQy4Fr6b+oYAan/11OQyxVsf0qzVV71pPuPJLa/joEVRsms7EI 1Afu39FxcDYSevFr7i/kPJccW3j4=
X-Google-Smtp-Source: AGHT+IH06yalN5McokrwuRhIHCOHXtxB5NUyyxVzPWC5VEERTgBpjFmMKv6sch+BVSf0QE/Q7H6+v0M+mQesvMl7tC0=
X-Received: by 2002:a05:6000:178c:b0:390:f5c8:1079 with SMTP id ffacd0b85a97d-3996bb82482mr1435523f8f.24.1742274055194; Mon, 17 Mar 2025 22:00:55 -0700 (PDT)
MIME-Version: 1.0
From: Andrew Scott <andrew@aes.id.au>
Date: Tue, 18 Mar 2025 16:00:43 +1100
X-Gmail-Original-Message-ID: <CADPEYipGP3tQyxDa3ntm7qHrQbiQAUhCNv4JhvkahvqLgkJ+hg@mail.gmail.com>
X-Gm-Features: AQ5f1JqPxJO1vFJv6vIntZL8_e5s4cmqqeDc4LoNqsJGFbSQFJmYmH4WvanlvyQ
Message-ID: <CADPEYipGP3tQyxDa3ntm7qHrQbiQAUhCNv4JhvkahvqLgkJ+hg@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000295ded063096caa9"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s213.syd3.hostingplatform.net.au
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - aes.id.au
X-Get-Message-Sender-Via: s213.syd3.hostingplatform.net.au: authenticated_id: andrew@aes.id.au
X-Authenticated-Sender: s213.syd3.hostingplatform.net.au: andrew@aes.id.au
X-Source:
X-Source-Args:
X-Source-Dir:
Message-ID-Hash: E7YMVZTX5PAX7U5GH42AYGBI2X5GO2AH
X-Message-ID-Hash: E7YMVZTX5PAX7U5GH42AYGBI2X5GO2AH
X-MailFrom: andrew@aes.id.au
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Adoption Call for Post-Quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rEADLDJ2TS7U1BkNAwRsqsurkic>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Some relevant additional detail from NIST's paper selecting HQC..

On Thursday, 13 March 2025 10:01 UTC, Alicja Kario wrote:
> NIST has selected HQC for standardisation this week... No idea about
> its patent situation, or if we want something with ciphertexts this big in
> TLS... (reminder: 4.4 kiB, 8.8 kiB, and 14.1 kiB for 128, 192 and 256
> bit level of security respectively)

As well as HQC's selection, NIST also called out Classic McEliece in their
report as a possible future NIST standard once ISO/IEC is finished with it:
See https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf
> In the event that Classic McEliece does become widely
> used through other standards, and that NIST remains confident in its
security while also
> determining that there is sufficient need, NIST may develop a NIST
standard based on the
> widely used version.

It has better ciphertext sizes, but much much worse
encapsulation/decapsulation key sizes.

Andrew Scott
https://aes.id.au/

v2.29.0 | Report a Bug | By Email | System Status