IETF Logo Mail Archive

[TLS] Re: ML-DSA in TLS

Bas Westerbaan <bas@cloudflare.com> Fri, 25 October 2024 15:28 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE3FC1840F0 for <tls@ietfa.amsl.com>; Fri, 25 Oct 2024 08:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEtMdHKP7h0A for <tls@ietfa.amsl.com>; Fri, 25 Oct 2024 08:28:32 -0700 (PDT)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15B79C180B6A for <tls@ietf.org>; Fri, 25 Oct 2024 08:28:31 -0700 (PDT)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-6e2772f7df9so19240007b3.2 for <tls@ietf.org>; Fri, 25 Oct 2024 08:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1729870111; x=1730474911; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qANcnwK+V3aoqiqmHB/QGZT7wZUoTrQPCE2ZRNq1/tU=; b=Zu4FZJ1e/UK2xgFBFqbJVsQC4FyrbizAw6bHyVJH+mebOGA7ndelHEBV783D8+aE4z D2bVwJT2jna02/BpdSvYs0IlOEZPIDN2SGCqB+4A4EjVy62ne9/HpSokEi0B2FIIZjUH LFTrYYN7Eos1PfE+7YAsafW/C0GiwpqfEEIFRi/Htzd9Bv0zi01Z8APm94RSovAjMUdv 9q+I7CqYvZrEr6xYYwEKD5Dr4CKMTJ2f6xIj1M9SzRE/FK65yRONJ1+ubAaZSROd4cTI bm/+jqTNfCpKrm6Gyvb0CtpVmmXcqpINz6umPCJ3uqH60zTMSWu5VF20hWT+9xII5xvr Z2jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729870111; x=1730474911; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qANcnwK+V3aoqiqmHB/QGZT7wZUoTrQPCE2ZRNq1/tU=; b=LlCtKdjqrk7S7YLfQDLelaAl02FEXubHHLUE+BliamPHqaaRAyxbEjo/6a9UoVav/r Tq943wzeH2GgFEKIRnzcXcdktVLAIN8/2DOueuD3vZJW7KaEz4kegKR67mNDuRNPIrit ZmbwgiyHJ7QQLukbD2FQk3hvAW2HWeeGsZ5AR8dFwawaRnFdaQTSpGDBtbgXLkf5nCjY E7lQLVXig/Tsqok5TjUA6ZWpM4yVFpobwd/Cyqd0k/CrsNzTvCYBjm7gLJNkdkmf4apN s8oKd4vlnkAPQXoUQrZs4br2USEjLk0LpMpsCGG+2nFoA73LCDl6El8bgjPZhDFAlhMe z8fg==
X-Forwarded-Encrypted: i=1; AJvYcCULRBojMh0x2n+4DWdXC+8c15uJ+tM/YPihxekhtD7uT7CHgqvIuZ3xzJNzu8+K0P0lRCQ=@ietf.org
X-Gm-Message-State: AOJu0YxGeOvL+7BivkFZfSCrIS+TNIs3T7DhXciFduWoLi7dhfv/pv3k 8bzM3FLs6SyfLboiWmUnLeO2Sid+TetbWJg5QvYaIyvWhGxtEKAh5arH1Q682fVthMfX710hwML 3wr8p3jIIFgo0+cRQQVGH9uHBqG4GCjDVBDdSpA==
X-Google-Smtp-Source: AGHT+IGpWtAoffpsispZGIKteo1V1XOnOvwEXR8HOxm9lpgo2BTpnQeFefsD+V+puEoQ3sKvXEMx+NtXOGyDXlBkhug=
X-Received: by 2002:a05:690c:690e:b0:6e2:c13e:20e8 with SMTP id 00721157ae682-6e7f0fba06amr115787207b3.30.1729870110777; Fri, 25 Oct 2024 08:28:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAMjbhoUFkL=UT0Pt2xjPLm998=j1ef+wdm0WO14_W7OJDJ-hOg@mail.gmail.com> <bcb2e444-7fc7-477d-b290-77adad4a1630@redhat.com> <GVXPR07MB9678B11440060A8A315ED39B894D2@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBMAg=r8MfJsJsVLe=bkPwE2e88ETnvop=JjCeHbCdct_w@mail.gmail.com> <CAMjbhoXomCFmfuGO09Pqr-BOdksmgOmVc08-g6niqqvj1k1mdA@mail.gmail.com> <CABcZeBMBRgpHawmJStR-prVQWguo1TJPJpXVzQWzysS5RDtLhw@mail.gmail.com> <CAMjbhoUkA44fvybQW=ZSD=_5t63+LD+F-UV4v3yE4fF4rfDYxg@mail.gmail.com> <CABcZeBMPPU+pK+4Mn1X-xj40W9Vo3qG49Cp4ZjmwCvMRmmMgBA@mail.gmail.com>
In-Reply-To: <CABcZeBMPPU+pK+4Mn1X-xj40W9Vo3qG49Cp4ZjmwCvMRmmMgBA@mail.gmail.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Fri, 25 Oct 2024 17:28:18 +0200
Message-ID: <CAMjbhoXqPWmZWRApzKZVkXhBkubAhHUWP4SECDjfUEzLTauMEg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="0000000000007607ff06254ec500"
Message-ID-Hash: CGNPLF3EPLPQKK2Z6HK6JYD33WRS65HB
X-Message-ID-Hash: CGNPLF3EPLPQKK2Z6HK6JYD33WRS65HB
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rIyDS6zpztSnoPKpUu4Sr-_xyic>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

>
> I'm not sure I agree that there is no value. In general, we try to roll
> out new mechanisms slowly so that we get some experience with how they
> perform in the wild. Given the experience with PQ key establishment, we
> should probably have some concern that ML-DSA won't just work in all cases,
> and we'd like to find that out now, which requires some level of deployment.
>

I am well aware, and we will, as we have before.

But I think we've strayed from the original question you asked:

In particular, we should have a discussion of whether we want to
standardize pure ML-DSA or hybrid ML-DSA/EC algorithms; I currently lean
towards the latter, but I, at least, would like to hear arguments to the
contrary.


I think we should at least standardize pure ML-DSA. That does not prevent
us from standardising a hybrid as well. These are independent matters.

Best,

 Bas


PS. Majority of testing can be done without hybrids. Don't run it on
production traffic. Or pad a P-256 key to the length of ML-DSA. If it's
compute we want to test, run a dummy ML-DSA verify. If we do want the full
thing with a hybrid, we can use an ad hoc hybrid (as CECPQ2 was ad hoc too.)




>
>
>> The proposal you sketch also requires an update at the time CRQCs are
>> near to disable the non-PQ certificates.
>>
>
> Absolutely. We're just in an asymmetrical position in that we're already
> exposed to the risk of non-PQ but not to the risk of PQ.
>
> -Ekr
>
>
>> If you have a system that cannot have an update, then you indeed need a
>> hybrid.
>>
>>
>>> In general, the client is exposed to the union of the risks of
>>> compromise of the signature algorithms it supports. Thus, in a world
>>> where the client supports: [ECDSA, ML-DSA], then compromise of either
>>> algorithm is an issue. By contrast, if the client supports [ECDSA,
>>> EC-DSA+ML-DSA], then compromise of ML-DSA alone is insufficient to
>>> result in an attack. This is of course the same logic that leads
>>> to hybrids for key establishment.
>>>
>>> An obvious response here is "if something goes wrong with ML-DSA,
>>> we'll just turn it off quickly". This is certainly true for browsers,
>>> but I'm less sure it's true for other systems. If you think that
>>> it takes a long time to disable algorithms, then it seems like
>>> that's an argument that hybrid signatures are safer.
>>>
>>> -Ekr
>>>
>>>
>>> [0] There is benefit in the servers supporting PQ ahead of time
>>> because the client will have to make a cost/benefit decision in
>>> terms of breakage, and the more servers support PQ, the easier
>>> this decision is.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> It's uncomfortable though if the first blessed SignatureScheme would be
>>>> a non-hybrid. (Also regulators don't make the distinction between
>>>> authentication and encryption, but at least most of them insist on hybrids
>>>> for both though.)
>>>>
>>>> So I agree it makes sense to set recommended=N for now.
>>>>
>>>> Best,
>>>>
>>>>  Bas
>>>>
>>>>
>>>>
>>>> On Thu, Oct 24, 2024 at 4:47 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>>
>>>>> I think an adoption call is a bit premature here. We've got some time,
>>>>> especially in the WebPKI setting.
>>>>>
>>>>> In particular, we should have a discussion of whether we want to
>>>>> standardize pure ML-DSA or hybrid ML-DSA/EC algorithms; I currently lean
>>>>> towards the latter, but I, at least, would like to hear arguments to the
>>>>> contrary.
>>>>>
>>>>> -Ekr
>>>>>
>>>>>
>>>>> On Wed, Oct 23, 2024 at 11:02 AM John Mattsson <john.mattsson=
>>>>> 40ericsson.com@dmarc.ietf.org> wrote:
>>>>>
>>>>>> Let’s have an adoption call asap.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I made some minor suggestions
>>>>>> https://github.com/bwesterb/tls-mldsa/pull/3
>>>>>>
>>>>>>
>>>>>>
>>>>>> John
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From: *Alicja Kario <hkario@redhat.com>
>>>>>> *Date: *Wednesday, 23 October 2024 at 19:59
>>>>>> *To: *Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
>>>>>> *Cc: *<tls@ietf.org>
>>>>>> *Subject: *[TLS] Re: ML-DSA in TLS
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Thanks for the draft, will definitely be helpful.
>>>>>>
>>>>>> Few issues:
>>>>>>  * The range 0x0900-0x0903 is reserved for backwards compatibility
>>>>>>    I think it will be better to continue the numbering in the 0x08..
>>>>>> space
>>>>>>  * the must in "must use id_ML-DSA(...)" probably should be
>>>>>> capitalised, as
>>>>>>    if it doesn't match, the connection needs to be aborted
>>>>>>
>>>>>> open question is if we should document error handling explicitly:
>>>>>>  - illegal_parameter alert if the peer used algorithm not advertised,
>>>>>> or
>>>>>>    signature algorithm does not match the certificate
>>>>>>  - decrypt_error when verification of the signature failed
>>>>>>
>>>>>> On Wednesday, 23 October 2024 19:29:06 CEST, Bas Westerbaan wrote:
>>>>>> > Hi all,
>>>>>> >
>>>>>> > Unless I overlooked something, we don't have a draft out to
>>>>>> > assign a SignatureAlgorithm to ML-DSA for use in TLS.
>>>>>> >
>>>>>> > It's two days past the I-D submission deadline, but I wanted to
>>>>>> > point you to a short draft we put together to fill this gap.
>>>>>> >
>>>>>> >
>>>>>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbwesterb.github.io%2Ftls-mldsa%2Fdraft-tls-westerbaan-mldsa.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C8fef63d5eddc4cb44fee08dcf38c63f4%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638653031501883034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=1oIREiL3cz5iRqrSRQ2PKnw5%2BdAkv89rBl9AnUJwAgs%3D&reserved=0
>>>>>> <https://bwesterb.github.io/tls-mldsa/draft-tls-westerbaan-mldsa.html>
>>>>>> >
>>>>>> > So far, I see only one open question: whether to set a non-zero
>>>>>> > context string.
>>>>>> >
>>>>>> > Best,
>>>>>> >
>>>>>> >  Bas
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Alicja (nee Hubert) Kario
>>>>>> Principal Quality Engineer, RHEL Crypto team
>>>>>> Web:
>>>>>> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cz.redhat.com%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C8fef63d5eddc4cb44fee08dcf38c63f4%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638653031501906645%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=OEPmJIyNseoOyEubpjkOsGFhcqmd2HRTqwKcj4Xwkqk%3D&reserved=0
>>>>>> <http://www.cz.redhat.com/>
>>>>>> Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
>>>>>>
>>>>>> _______________________________________________
>>>>>> TLS mailing list -- tls@ietf.org
>>>>>> To unsubscribe send an email to tls-leave@ietf.org
>>>>>> _______________________________________________
>>>>>> TLS mailing list -- tls@ietf.org
>>>>>> To unsubscribe send an email to tls-leave@ietf.org
>>>>>>
>>>>>

v2.29.0 | Report a Bug | By Email | System Status