IETF Logo Mail Archive

[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

John Mattsson <john.mattsson@ericsson.com> Sun, 09 March 2025 15:16 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 163CD959983 for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 08:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.537
X-Spam-Level:
X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SndcCYzGQg5e for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 08:16:49 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2078.outbound.protection.outlook.com [40.107.22.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8378395997C for <tls@ietf.org>; Sun, 9 Mar 2025 08:16:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qyZQg/8knXyBiE8Q4wKjUYD4L6LmgQcs7DN1uT0/B7LUHBCz/IKVmg8fT14tN6HV5VkAQ4ste8D+MZRj4R17xV8QCCL5JBoPjdhf7fOepRrs8FALpCzga9NdMTNquNXslo26kgmtvaaWXqERElz7hyDexMP+ckt8/dzQVNIu7BtHMIvX4uiayJTEnwIjut7p3hNw9+BMxiojjF5ZU2GVB1A180BlNVj4iswy5byL5WhSKLoiCkbUwDWfiZW0rEibr2/6cT+Oc/HA2XQMObOHUrRuFkTy30GwqoEtai0UOk1IZNhssjWYUrxk1k/NO8uDi4+8Qu8OOMtI+TD6bO3MKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mN0IMrifDO76TwrylUGmoOfhD3l29ULVO1amIH7eYk0=; b=GS6R3fsvoqhhArakSEA94ithF0d5IREldReYhaR137emRsccZJZVq6iuigPPgEi4+wxy601TDfmGiFDweSWgBzppFsassccvV0X/yDKQsiXCk20nO6ewlCd8bF9R0ZUO5M8fYHbONrYC7ksVq4xv+62ABUppCX/jLjXhajs2Q9sy9NYrOMxd1+3hRfkaZIsb6x+IYme+5FYsUcMPfdAx1SpGgI1zzMu61zHZX32lWtg/ML08Pej42ZLGlDGzKyFf3y9Wjzud88fDdg5BpGbvfK2Xt9DCFqt6w02Oh1is+RVU8FEYjmSJeK22Cx0ME236HGA01eCwBm6gfI+8yNXsgA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mN0IMrifDO76TwrylUGmoOfhD3l29ULVO1amIH7eYk0=; b=my5KroO0ulIqpQ6dwsRV23inWkTpKHPvv6rukTaMBmit6IW5lOyKdMRaFq4B+FeFQGYjnBaHAmKeXD2qf373ZRYNK71Wgx1sO5/j0Gf8lUYXXYPyN7mVUvlov7YAmNjRIL8J8H7aJJ49aHi0SGYkNcQa2c6AZUoXzMKnq1IraBXC7SjQRsOGPIABeA8Peg0S7/UCeCeoxL5jnF/ldeWxesWAVwaV8LpvetJc/d1OdHwRAmtMGpaNG2v1/862nmHvGVG3hjXp71NqcmnRxa6FtJx2KG+Ca6giiPpYH2MpLRLx+tQ8MQAeO67oP/2RERge9XITqeMKhFxAiQYsWdvCKg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DBAPR07MB6533.eurprd07.prod.outlook.com (2603:10a6:10:181::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.26; Sun, 9 Mar 2025 15:16:47 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%7]) with mapi id 15.20.8511.025; Sun, 9 Mar 2025 15:16:46 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
Thread-Index: AQHbkO2ehAcnOcvdxk63BWeYOC61mrNqz28AgAAEVt+AAAztgIAACEau
Date: Sun, 09 Mar 2025 15:16:46 +0000
Message-ID: <GVXPR07MB96784E6850B9A809801BB79789D72@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB9678E29CF1D00E59164EB89089D72@GVXPR07MB9678.eurprd07.prod.outlook.com> <Z82aAuvLY1tiDxbQ@chardros.imrryr.org> <GVXPR07MB9678BFF2F2284DEDCC6B6AF989D72@GVXPR07MB9678.eurprd07.prod.outlook.com> <Z82ofVKnPfcyGyNF@chardros.imrryr.org>
In-Reply-To: <Z82ofVKnPfcyGyNF@chardros.imrryr.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DBAPR07MB6533:EE_
x-ms-office365-filtering-correlation-id: a6f0412e-3ce5-4586-11e6-08dd5f1d6812
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|4022899009|376014|38070700018|7053199007|8096899003;
x-microsoft-antispam-message-info: vlcJ5dEBSVNHpqv/O9kkn5QuvSfw4NPDWBgfpjmXzI1WFHba4oIuVT/TXk4pZL2EKSStnddkp4QrAFsXAPoo3nWrTl2BuED11RG01EAP9MCu2079F9K4KKvvhp3HkYmuLM138tOxNawzBwhsD/UILb1IrTesymkSCxuMR+Ec4XWVMLmySn7/4D5cAXb7RGmzM0dfg2px4/JtpRdwKgX05M+NHgrPNua+MyhCMSZPB/Gmk9sQRGIDKCZ3LpS1Fy9xKNKf05KRqdOpTY79sQCbzL3dCQ4Aorv+H0ZfHaxfFu40jIaLF1Nro0v4eVqxe84JjzoBBWoRH1KiskvUC6xtT0KDveusAR3WLCrneDEhy7SSxjsccNC+UbU3d5KDu1hav18ybuQUT9I+jG8ghO/yRzmsW64QDu6lrAYL+UkzIbar5zERoPVFUUNRBMyEEtWp7j1Rwp6FP7VbGBdNs0QuVuWe4ktHCgcgHUCUfPUCcnbagQHJlSgLDSPiAEZfXmLgkNTNYjhky8oWiXhNvtgGZI57zM+qxh9Xze74NUBCt/Xl+kEQikB0YwtYHCFoWJzAXxl8cchDedg9mgyvMB7xKObhsF5OmLJxnRKyqjc+Hf9dNbrT2VDETinSdZ7LV8qI946NXt8Hz20kUj3d8s80j7lf+KBSAZygjyM3ZE9Snkb2/TTXuM78ahI/0nZM4+lf5zQ9PznD/EpYoeet579JVSOlTzOUswZ8yp22jPYPYb8kN36bc+vvQxF0KXi2pqhjaEkNOQd6VzbHOU0Q9oeOBROKeDzYmLOKZDQGQ6H8q2agIopSTjCbRdEMo2AgE56+SZWha6rmHJVh8VATEiZFEAS9XQHPCPY0Sd0x+CWmFYHPsXbWYkfahr2Hemv09ywO4oQXkOuJxZjpfv/fB4wQs8aU9GvoXt0lRG8z0OJWZ+XUk9TiE1d2S05GUdzXr6YVqDTVyLH9ubxhzvJ6G3v8h2vJr2C9SSfFeL0DZBvDPMxOgRKlEKH4Lau7gjShqpzWscGwLeDAYyP0+i4mdzmIlR3lEzdmd+P7WUWoNZzCMnSyPN12aSGd6G3LelYkSIU+Co/MHPSDlhJpUDjWVlRMR4Vv/RuNZq6oPX6Ackc6HoV2db6QgdNmEPIr9wWhBvyg17w79BryY8mv6haS0up9T8wDQSgpLzX8G+m+ns/Rbi7azM7n/jwqfr4WeitynuodUKSxgWv8lZzlyZfz5LgCRdMKuBqcd9dx0gQMVlUQih66FRxipKvf+UY4ratnXRfHpPADAWPZe4v0YtTOC4VAKQt3DPYzx+ez9WaBPG5HTZ1nn1I832HHSN90kOJrE4mimyVqzia6jUlA3rGRssebAkKHW1izaafF1QZqH8DdQsJm2uvu/IsaW5LGrdaAAzEr7H5Ew7O8RhC6YKyVcaFOA6A/uA4fdefP3sRNECCjDnIIKy0hpuwDLeU6YAHnN7lS
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(4022899009)(376014)(38070700018)(7053199007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2N2JrcM/cNCOXIPuzh/Zbxb7/L1uutEoLzZ4c2h6wNJSAdAVEKv/qq5h3XUxneAUQio711coDMN9Zh2gav6QFVcMCcNk5/AE33I8yLFUhSFo3b+xiQfagZ8uP+9s+sU9EIQ3l6YLnwYn0XSsPNOsO0DkGClFWv16YpUJcDPLUAS3V87REn68NGVVBEFNB8SmF3y6HQvUQSE7uP2N9zMevTEf6Swin5oU4Z3WtZAo4ucZwORF0ylnhOrBSXKDCFnmGLGzWNCOIt4kEzT7IsfTSoWeB7DQqKUsWiiL1zlwsJpxoBKzYlVRckHDFOpCgtN7n9FKQpk2qbnD7BDNd2v9EM5RA37h20oK9RgoFqgRKUehkRc20AZbdEGIswzmQPqqINrd5QHzQrSuG1AB5c6jI6of4tUSAYbEke0akIidF2ojHhQd6uHU/Sg5vmhPN/XBEA0wAimgPDb54W6nmE2+TJRw5kTuPAubkjvoAKInKiJT3NdcGRclIEGQCXVTNiWqMUldjTlyEYl6k++TsO9celQFJchpSHvF8LEqs1HAe/8ynQzuiFnZj5F0Q/PdNzVmkfVO7OyiAGU6n9aZYfgyqf1oQtj1QhOrVbi0I71QEO0DVDufwRRXfjGGn8GMlm8628HeW4rQ2RulZUWE7zGD1exX0cTNumIUqusn5uvecWbYoTuU42Vw5qCilqWwAzVEm/gUiEW+WZwZJKyKf9N49Re03WOD5Y3BY9mbs82hDNqeUpwJT9AOgTTECzyy7hdXKtYunivD3NvA/tYjSqT/2wWEtDs7lYjKqZraLJAl0Gz9yPQuarc0C8LcjITLg6dXgEZsFIQ973hs3THVpHDA/6AyZI00J8dP6LAeYOREGbr9eQ7oykxCFuEwLpX8+OENksAP4sG/8Ki7bdCl0ZHtBqasYwXXDYrD4FbWraQaMdyeKUAQ+LK/N5hY0JkLRT3xe/01SNfneo3NNddoBD9QfR+emcRpMtDsi/359SsN+/lzpSDKRoUaF560GgCKHw6UwaSNFOBpOV+PpNHGUF7gUKdbr3pEJ6EJoQ+r7Zne92PP3jN6RUzJoecaY4LVu+du7qo8ehbvKrzikn1hJDHhIbZ3mU5Z5nQCLL5cauWNeyfXtM1E3DBok1GDjuX0PS90KTfDZdWOBDmkZlgLowKwvGn5xmAIa15qB3grisLOy5+JYwk9ziOZzQ3o0sS8i3DnwKYv5VM66iy4g6O0hgGj0w8lY31S0etaQEXzNZ/oQx/RSK0GGtmBdFgQ6NoCsWK4zIDOj/IPBrgXS80EttJiGyGNpq7yx+8oA/phDLWuRdwy2lgWgin6cD9UnjxP87C2HqF4PS1fCz5pj/GnXExu1+pylVRhKW0GoHpBisyJXVMMzUVDl6+SnVgXEG0SFQCS4QqVX4cgYZxkb0GxF7hoZBoJfgQANG/LKCvwvhPRWcG9PAxCCXBt5Shz+sKKw7gs6ZHqKnI3FwVVnTAnZuVG4TMFqRi7u2717vzLbdrxyQ0tH5C6HKOAqULEmyCaZAia92xd/Si0g1BDd6kfL3SD47VP3jjptT+Enf0bHcf4za3Gz1T5Po2+faAL39m4+3EvckoYWNiahb2xYIuOrF9qK0oxEA9DOhyAc7lJxFQQFT8=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96784E6850B9A809801BB79789D72GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a6f0412e-3ce5-4586-11e6-08dd5f1d6812
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2025 15:16:46.1027 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 82GpSdwib/g/TssOpDmB4bGqFNhzZzGcAQlLBltdDdZLAWD+jtAdMX1CQT8MykmDZGy10uKyKrJnFe2QdZcgl0FiIiYie1p1rCa4AXGaNf8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR07MB6533
Message-ID-Hash: DNHLSZHXDYWSQW6GWRV5JHLQ7E2KYD6S
X-Message-ID-Hash: DNHLSZHXDYWSQW6GWRV5JHLQ7E2KYD6S
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sdX2B47AaEKyBEgjr5W7hnNbq7E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Viktor Dukhivni wrote:
>Guidance to encourage fresh keys every ~5 minutes and every ~10 users is not unreasonable.

I don't think time is the important factor. The important thing is that encapsulation keys used with different servers are independent. If you have a timing side channel in KEM.Decaps(dk, c) that leaks the encapsulation key, this encapsulation key should not enable passive eavesdropping of connections with other servers. Timing side channels leaking private keys has been common for classical algorithms and are likely also for quantum-resistant KEMs.

ML-KEM KeyGen() is so fast that reusing encapsulation keys to save a few CPU cycles is not justifiable.

Cheers,
John

From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Date: Sunday, 9 March 2025 at 15:43
To: tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
On Sun, Mar 09, 2025 at 02:02:55PM +0000, John Mattsson wrote:

> Viktor Dukhivni wrote:
> >However, you'll be thrilled to learn that it is not possible for a TLS
> >server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral
> >ML-KEM keyshare.
>
> Yes, that solves half the problem, but I would also like my servers to
> not talk to clients reusing key shares with other servers.

I've seen no evidence that TLS client implementations exist or are being
planned that will use *long-term* ML-KEM keys to generate keyshares.
Any occasional short-term reuse is much less riskly in ML-KEM than it
would be in ECDH.  If ML-KEM is secure enough to use at all, it should
be secure enough for some short-term key reuse.

I very much expect that there will not be separate code points for or a
prohibition against key reuse, and nevertheless key reuse will be
infrequent and at most short-term to amortise initial keygen most, with
most of the benefit gained in the first O(10) users, and rapidly
diminishing gains thereafter.

The behaviour of mainstream implementations will not stay secret, and
nobody will want to be seen as negligent of best practice.  The guidance
should be that single-use is recommended, but otherwise reuse should be
rather limited both in temporal duration and use count.  Guidance to
encourage fresh keys every ~5 minutes and every ~10 users is not
unreasonable.

And if some day we learn that quantum computers are impossible, we'll go
back to just X25519, or if CRQCs arrive, we'll stop using hybrids and
will use whichever pure PQ algorithms are preferred at that time.

--
    Viktor.

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.29.0 | Report a Bug | By Email | System Status