IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 15 March 2024 21:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAAF1C14F690 for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 14:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.008
X-Spam-Level:
X-Spam-Status: No, score=-7.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roTEDhF_VISC for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 14:01:29 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2124.outbound.protection.outlook.com [40.107.20.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21736C14F5F8 for <tls@ietf.org>; Fri, 15 Mar 2024 14:01:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pq+9fiK/GUt2TvKEWjcjIOB1/1UNe6yAVh+5aksiRKAhEEhV0yMK47QwwY6cMfKlhBAPUPb/tkCcxwhbfKFFFWxKGKxKq8WjbrKyTPeXpf2t3TW2/ldtaZRBQCAyvQZAgodPjNMR435F+Whyzrbk8xAQTw0Kr9iRqq5uVJ/4k1GeThuoym7BwmhoFnkYDU7cJzYtWzYRPdEVL7cjLlTf4WiooWcizxKD2Yn7IgV5cb3Xar8L7fBTWgsj3+RQie74eZS3/wnBZBSOgi6VgrrsFe4RhklW930iA3ALF9VDly+dLYIWJbSmUy2Vw+TBqeoDxu/n5hJwKIrcYKVuWyl+HA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JcXQs1cKXPOA7jwB3buUUQ59zZRmA93eo0T1wfYqZME=; b=J/G6tEkl216uLKgr6nZozZ3nxRVhR3YIX6zKxFCzInIA2UfPE31sQyDnB0l5b8pm7dNOdR3QQgzwqLcsjn4EypDLXnniA88eQUl4Z1IPf3bNJnmTjxi/E6/l8mjhS7EXU5rs83ZNOwPe7J6UBDyEn4VdRKu+tu8WQLAhPBTSx3bIji/+vCFH0+DWzt2YJ7fSuqjxBb9ntqUrbK/8Dw+vQOjOi77JL5KPG/VNe959zw1QNFShQy2gZMKyNKbptOMPEw4F73hM96tqTebdbESyTTe5ru3cotw+vSYB8BuG7nnjiTZoIr3Aepx+Dd3OmIKEIYze3OgjbKJhSC05/spkIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JcXQs1cKXPOA7jwB3buUUQ59zZRmA93eo0T1wfYqZME=; b=hMw6qU+ix4OG8jb4A/hepYxjI4w1mtjWPeVWl0N4bsVcP1AHiVgxnqFvEBO1OnsHxs0YPizIiD7mr5UaSYQch0zKV5pSCs2aR7KIaZOdX3QVPzIkUSMRtYEsm1DSTMvS+KrWqv9OwkCJLPRe6cJ9WvHAJkF2VXcNmEuao+OYJQU6OZGbeqNurTwcBm1ddcELbE+Jcy9qLVfI9seGQm0PN3amHwEZcj6n1XeSs5TiTaZQH/MpNC+oi7zfgiGHE3iSxuaqpQ5T9gx1ka+kO+x7+T3vsh+jW13n8cG/AmfgE6RBcszwkIwfF9oa+wDOtOhgQekb6UEqWl6cLCBsG2W+fA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by AM0PR02MB5828.eurprd02.prod.outlook.com (2603:10a6:208:181::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.18; Fri, 15 Mar 2024 21:01:24 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b%2]) with mapi id 15.20.7386.022; Fri, 15 Mar 2024 21:01:24 +0000
Message-ID: <1c52a328-9184-4915-a942-3b2d855d7411@cs.tcd.ie>
Date: Fri, 15 Mar 2024 21:01:14 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Deirdre Connolly <durumcrustulum@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Rebecca Guthrie <rmguthr=40uwe.nsa.gov@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CABcZeBO2sobjXJzW_FNXhfU_vspsr+9YLfcH5zG_JHTX65Os=Q@mail.gmail.com> <CAFR824xo9bL3S_r-GWSkEPhxTQ5yKiDmR4dxwy1LKq0rDCJQOQ@mail.gmail.com> <CAFR824yVjF3YNcwuqqzGnw1X4-j-w_x02ZnuBMKMZUTcXNknuQ@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CAFR824yVjF3YNcwuqqzGnw1X4-j-w_x02ZnuBMKMZUTcXNknuQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------tu0zYew3TjA0v9qGUMFGBNuQ"
X-ClientProxiedBy: SY5P300CA0007.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:1fb::9) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM6PR02MB5112:EE_|AM0PR02MB5828:EE_
X-MS-Office365-Filtering-Correlation-Id: f1bb4280-68d7-456a-0a9f-08dc45331289
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: dYj043t4CuLDi9Znk4+YCuMDc9cbJ2AAp1T85SPSb2gUrUvIU0wtNrDGukoeXSAnoyhRV4Joc5ga08M8oFqPPd4KGkdKaPjePgyEZEcCnvjz6IW9ddl0u2EZixFof+Ye6HYk5yLCRMjJ0uGciDsAynO/CdfUiLfOiIGqbhb/b+T3OTXfS9FQV5P7a0/x/SVarBbgu7YFKernIbJz590PDuqck6QqyEMV74lhGB+libHZmJFyVbUxch3fqj36ze2nvRzbJ8/OrSryUqADlUdoOL7ZFdx5T7JdBiJ2QzlyeD6cleApZZqWGwIhu3QRNmyd1Fsp0+Zy5D1dTnw0GDaQdUL8Gvvd8gNP6AXto4KMTWlc1+ozkpEeC9UsZRgKpO/6gVg0NlB10JkjrnG+wXWpHUzk1q7o+fr/3IFtRKsePsq6VrY+1nRoBI8QiySbPfJAEoiUeXMFzT0x3X5OTvAuPfx6O08t6opARAtTQD+ZbacfDvd33ZHCYO3+0YRS3bAECNf1jb+lWo2MYO5V8ETiWYktrsGjTW1eMcJSpN7zj50QXKyLK6cTtDdYUOxLOAE5HjCZ74uTd0DI3m38hDLj66ww0VEYCIO72KH8vnV1qJo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: P9ONnxKSQc4q0JPVGGAkOdUQDnpR3P9EsVK8yaebFZ6/4oSYD6L8eTPlWNfnUOl5Fnu9N08Ya1Htr3BJjN/vD/LBs2+t2TqhQRYJlC5Y1H4s4H/U5GprmQtnyZ6K9mG6ZFuz8dsC9FMJsItc0zcHtPlz3+20vPLYYMFdBd/9/FFGLxajdLvhSmM5Y/NA6aaAlw2PSzh/ZNBPIaCohCuzWmpNXgLWGhJpRiuZjkXMXWhzrtY7HJoPV8ZRokyY3UT4kN7xunyAN8pyaOYF5fZs79U2uq90w++iFJg+5IaRqrGvwJI+HEsWisWn3556qM7fQ8y/V0lPQmyuw2DPzm2pFk7ZL2OAE3AFKXMaGgDxphw0ZoZczotYdyN4mGmHe1qp6B/Ztn5D70dMas7A2Y2YWSTYplH1ElG2htiMKJdFy59TaF01u0d1kiWKvZSELuXk/GCG9VTOXk5sVLRcLf3zaOd7Ze4SBmySgk/jsfbz48+K94sRxgyC+MqxVQfcjJ+DohJ1hHfAkbXk6nX6D2Oz6j01L0Xm+IAlT95Q60d9ecYWClVXBNta3+zRpYK0eF9cKD/mt4C7FRE7+F+6qGyj54VT1DqI7Q38upIBvVTKcpCeLFtjKMFw6sZUS/+TiW4HhWh1X8kEohPrJ3T66Y3hQ7BvfTPPI6LX39VTrb0zpEdwm8Tu/ksu+H8sdGgMDX77aTtGWdXCkgIAgYkHXnr8VmjXYeiTitaej20Ym3gt62bGGepZWXVNx7fP/zdNcqAGCqlpsBMlfVZzZPiRMVJlgTruSbV0BaQVx0PXOjcZNQ7WsytL2Mt//D8wNKIkSIMJUwO9EopfU0+NvCjcH/4WfCTAYv3ou9lR9eKUFkLLpYoB2OMzWziM0eqMjxW4H1AFijJJbhm00Zaxk+x+SopfvSIUIWDsO3ipn0lb4gVgTZG2W1BybPmO1b24EWK56bmuQLveBoC6O0678NdIaSm0jQETlvTctx+a8YufFg72Ao84urRd0uz2jyYDPoz+gulEnH+gTwm45zbQblESsh9fq1nwK4hmSAIK58tZ2lNbcUPEeb8V+rJp8ZIXL5aM2J2yqBF9YLNG2GYY+mNDtgbbxy9Cbinqedu3lGi2a2I5yjqYDVU6bnm6J3RksDXPfIZaISdPCnMw/kr/r1XQ6aJDA5HkYZ7ewzFSBrwSKZLgbZoRIB1TmEXXh6VMPejXSkbzXOzYCwYPgSOxAI3PgKy+OdRzeuNb0caqNij9RfiJuZGRiyjyzc3ys0ECsLaqGGHdYPS+COYyyXo8w41s9q4RZ0pemrDP7kgRdhtjeXCU0hiHkGfOBqj/8Md697J/pKkGvQqpZhUBTtQj6AyDY4PCR1iEG1Brrc62PdP5v3mRqx+Iw/S4SefshyPB9Z/vyjeDPNJxXU0n9Bj3pMLoy9dzYSU4xgJJde8efgqtfu2gkkUd6zbrjDw79fwlbuiWz+BaBI+uHSu5ChYz3FlWRk/oDY9r8p8skx0X18Qw8fUBvk6xFukHQsS1cX9hJ/d8wHFWqLbiXwQHW79t3z6CsBCDcCJXpMSr5+Y78zPNba8RGVm9IHsDyH2jFXOru692YjDhBOTkh4V+GpTeTPnxLuPy6IIzTA3kUMGBisNR//pHz5AMiXD/yb1Uavbwoo65Uzi3
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: f1bb4280-68d7-456a-0a9f-08dc45331289
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2024 21:01:24.4877 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: sRBoAa7swwuP61ItSBPONUIVbRi3Rnk4Rqh0SP5g8jsi+adxfHvX9jErFbLqzZMe
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR02MB5828
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sqtj5UF0BVQeekNo8BTWQL4IbIE>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 21:01:33 -0000

Hiya,

On 14/03/2024 01:41, Deirdre Connolly wrote:
> Oh and one more consideration: hybrid brings complexity, and presenting the
> pure-PQ solutions and their strictly lesser complexity (at the tradeoff of
> maybe taking more risk against newer schemes no matter how good we feel
> about their fundamental cryptographic foundations) is worthwhile in my
> opinion.

I'm all for reduced complexity, but in the case of hybrid KEMs, I don't
think we can directly trade off the systems complexity in having to add
support for hybrids vs. not doing that so easily - the one and only
thing we get from hybrid KEMs is protection against record-now-decrypt-
later attacks and those aren't visible in analysis of code.

Generally on this draft: I think this is a case where we do not want
to skate to where we think the pq-puck is going as there is too much
uncertainty as to possible future (super:-)positions for the puck.

So, I'd suggest leaving this until we have more information. If people
who need to adhere to odd govt. dictates to not use hybrid KEMs have to
get codepoints in the meantime, then that's a pity for them, but I'd 	
prefer to see the WG only spend time on crypto in which we claim to
have sufficient confidence, which for now, means hybrid KEMs.

Cheers,
S.

> 
> On Wed, Mar 13, 2024 at 9:39 PM Deirdre Connolly <durumcrustulum@gmail.com>
> wrote:
> 
>> Some considerations for ML-KEM alone (or another trusted PQ-only key
>> agreement) are mainly looking towards the desired next step after hybrid
>> key agreement, and instead of leaving that fuzzy and far off, talking about
>> it in the present. This is also motivated by -hybrid-design allowing
>> several traditional NamedGroups to be negotiated on their own, as hybrid
>> NamedGroups with ML-KEM (although currently both are specified as Kyber but
>> those will change), but no option to negotiate the other side of the hybrid
>> alone, the PQ algorithm alone, Shaking out all the negotiation decisions is
>> desirable as well as 'drawing the rest of the owl' for the pure PQ option
>> implied in the negotiation (are we going to copy the same ~1000 bytes for
>> the PQ and hybrid name groups, when sharing an ephemeral KEM keypair?).
>>
>> For CNSA 2.0, it is cited not as a compatibility _requirement_ of TLS, but
>> a note that a non-trivial segment of users of standard TLS that have been
>> traditionally compliant will not be in a few years, and they will come
>> knocking anyway. This is trying to skate where the puck is going.
>>
>> But also, the fact that CNSA 2.0 explicitly requires ML-KEM _only_ key
>> agreement in the next ~6-9 years is a strong vote of confidence in any
>> protocol doing this at all, so, TLS wouldn't be out on a limb to support
>> this, basically.
>>
>> I don't have a strong opinion on whether this should be Recommended = Y.
>>
>> On Wed, Mar 13, 2024 at 6:42 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>>
>>>
>>> On Wed, Mar 13, 2024 at 2:36 PM Rebecca Guthrie <rmguthr=
>>> 40uwe.nsa.gov@dmarc.ietf.org> wrote:
>>>
>>>> Greetings Deirdre and TLS,
>>>>
>>>>
>>>>
>>>> I read through draft-connolly-tls-mlkem-key-agreement-00 (and
>>>> https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/blob/main/draft-connolly-tls-mlkem-key-agreement.md)
>>>> and I have a few comments. First, though, I want to say thank you for
>>>> writing this draft. I'll echo some of what has already been voiced on this
>>>> thread and say that, while some plan to use composite key establishment, it
>>>> makes sense to also specify the use of standalone ML-KEM in TLS 1.3 as
>>>> another option. Other WGs (lamps and ipsecme) have already begun to specify
>>>> the use of standalone FIPS 203, 204, and 205 in various protocols. With
>>>> respect to this draft, there is certainly interest from National Security
>>>> System vendors in using standalone ML-KEM-1024 in TLS 1.3 for CNSA 2.0
>>>> compliance (as CNSA 2.0 does not require nor recommend hybrid solutions for
>>>> security).
>>>>
>>>
>>> I wanted to address this CNSA 2.0 point, as I've now seen it brought up a
>>> couple of times.
>>>
>>> The IETF, together with the IRTF, needs to make an independent judgement
>>> on whether using PQ-only algorithms is advisable, and if we do not think
>>> so, then we should not standardize them, regardless of what CNSA 2.0
>>> requires. The supported groups registry policies are designed explicitly to
>>> allow people to register non Standards Track algorithms, so nothing
>>> precludes the creation of an ML-KEM only code point if some vendors find
>>> that necessary, without the IETF standardizing them or marking them as
>>> Recommended=Y.
>>> -Ekr
>>>
>>>
>>>
>>>
>>>>
>>>> A few specific comments:
>>>>
>>>>
>>>>
>>>> 1. In Section 1.1 (or Introduction - Motivation in the github version),
>>>> I would suggest that the second sentence ("Having a fully post-quantum...")
>>>> is not needed, i.e. that there need not be a justification for why it is
>>>> necessary to specify how to use ML-KEM in TLS 1.3 (vs. hybrid). It could be
>>>> appropriate to contextualize the specification of ML-KEM w.r.t the advent
>>>> of a CRQC, though I also don't think that is necessary. As an example, we
>>>> can compare to the Introduction in draft-ietf-lamps-cms-kyber-03.
>>>>
>>>>
>>>>
>>>> 2. Section 3 (Construction on github) currently reads, "We align with
>>>> [hybrid] except that instead of joining ECDH options with a KEM, we just
>>>> have the KEM as a NamedGroup." I think it is a more useful framing to base
>>>> this specification (for the use of a standalone algorithm) off of RFC 8446
>>>> instead of the draft spec for a hybrid solution. I understand wanting to
>>>> align the approach with the approach taken for the hybrid solution, but I
>>>> don't think that fact needs to be explicitly documented in this draft. When
>>>> this draft is standardized, I think it's important that it is able to be
>>>> read, understood, and implemented without needing to refer to the hybrid
>>>> draft. It could be stated (how it is in the hybrid draft), "ML-KEM-512 (if
>>>> included), ML-KEM-768, and ML-KEM-1024 are represented as a NamedGroup and
>>>> sent in the supported_groups extension."
>>>>
>>>>
>>>>
>>>> 3. On a related note, the hybrid draft says, "Note that TLS 1.3 uses the
>>>> phrase "groups" to refer to key exchange algorithms -- for example, the
>>>> supported_groups extension -- since all key exchange algorithms in TLS 1.3
>>>> are Diffie-Hellman-based.  As a result, some parts of this document will
>>>> refer to data structures or messages with the term "group" in them despite
>>>> using a key exchange algorithm that is not Diffie-Hellman-based nor a
>>>> group."
>>>>
>>>> This seems okay, but on the IANA registry for TLS Supported Groups, it
>>>> indicates 0-255 and 512-65535 are for elliptic curve groups, and 256-511
>>>> are for FFDH groups. Where does ML-KEM fit in? Do ranges need to be
>>>> re-evaluated? As an example, for IKEv2, RFC 9370 changes the name of
>>>> Transform Type 4 from Diffie-Hellman Group to Key Exchange Method in order
>>>> to accommodate QR KEMs.
>>>>
>>>>
>>>>
>>>> 4. In the Discussion section (on github), does the portion on failures
>>>> need to contain more information about how a failure should be handled in
>>>> TLS? Should a decrypt_error alert be sent?
>>>>
>>>>
>>>>
>>>> 5. In Section 4 (or Security Considerations on github), this may be a
>>>> silly question, but is the definition of "commits" well-understood (in the
>>>> first sentence on datatracker; in the first sentence of Binding properties
>>>> on github)? It is not used in RFC 8446 so it might be worth explaining the
>>>> meaning or using different phrasing in this sentence.
>>>>
>>>>
>>>>
>>>> Also, what are the WG's thoughts on including standalone PQC signatures
>>>> in the same draft?
>>>>
>>>>
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>>
>>>> Rebecca
>>>>
>>>>
>>>>
>>>> Rebecca Guthrie
>>>>
>>>> she/her
>>>>
>>>> Center for Cybersecurity Standards (CCSS)
>>>>
>>>> Cybersecurity Collaboration Center (CCC)
>>>>
>>>> National Security Agency (NSA)
>>>>
>>>>
>>>>
>>>> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of * Deirdre Connolly
>>>> *Sent:* Tuesday, March 5, 2024 9:15 PM
>>>> *To:* TLS@ietf.org
>>>> *Subject:* [TLS] ML-KEM key agreement for TLS 1.3
>>>>
>>>>
>>>>
>>>> I have uploaded a preliminary version of ML-KEM for TLS 1.3
>>>> <https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/>
>>>> and have a more fleshed out
>>>> <https://github.com/dconnolly/draft-tls-mlkem-key-agreement> version to
>>>> be uploaded when datatracker opens. It is a straightforward new
>>>> `NamedGroup` to support key agreement via ML-KEM-768 or ML-KEM-1024, in a
>>>> very similar style to -hybrid-design
>>>> <https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/>.
>>>>
>>>>
>>>>
>>>> It will be nice to have pure-PQ options (that are FIPS / CNSA 2.0
>>>> compatible) ready to go when users are ready to use them.
>>>>
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Deirdre
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email