IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Bas Westerbaan <bas@cloudflare.com> Mon, 06 November 2023 11:37 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A4BC1FB89E for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 03:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e2lCiJyEz-CE for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 03:37:35 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3266C1FB878 for <tls@ietf.org>; Mon, 6 Nov 2023 03:37:35 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-9c53e8b7cf4so639411366b.1 for <tls@ietf.org>; Mon, 06 Nov 2023 03:37:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1699270654; x=1699875454; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LyS4G3ew3R0XMvzprZ03wydkY7VKsY+8rE6mtPU/oXE=; b=FRFyxnxiNWnRIlrBoj9p2JR7qzshHEnegVbsCtkJw1o4RGcjMry65+keondRT8I/DB W9sLgxqcqEN9sazfmCb2BPJ7zQSeOTdE/QzrWCb0aKq+R9w8+2miSG1flLHIB9EakWA+ UI8jc4vtm3mxd7U9OlJHcqQ66AlJC2jvbOCyNCVJyltg0qfCqqC+e1nDQktKdAJ2xD/p ADiYGW18AGiMEmknopFZztSudRVBN6zX4pgUouVabuVxDySqgc3eSAIsOmCkteayjxH9 DjFBz+qnL2ep24O4lncSkJPN32n8/6dNNBGwlPqfvZGeg8gkw6xYegyxLw71EWfwLdWr sunA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699270654; x=1699875454; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LyS4G3ew3R0XMvzprZ03wydkY7VKsY+8rE6mtPU/oXE=; b=YWij4xZkjtAWOFjiuwdLP9Py+gjcBQP44He6tpBhpiUY+w1FCBUGJjsv/ElIbOdkUh 78sSMuQj6asAmin3uYWCpJLzMDYLttsdy7DWi3Z/tuaK7Bdd6nKJQUX0/10bRIKB3OhH SNeS6vFRwhHJdUiKPtOVn3IgRbQ230BDrK/6KjD+IXi8VNBRckSys3ai+P6HiIGk4xSc aLgsfacMHobbZ9G8u9Q93E2WSF1r7sXtcz+ZrreTq1pnVCPQtyMAv7L48MfMwDMDPa2W 7qd1PqnclGr2iNXY+PXb9Dl/IEiG4U9LA3SmC1LMeK7fgJ0Mbm/lKqFBzWGqesHTofXB Rd3w==
X-Gm-Message-State: AOJu0Yx1VOZ7wnmT1p9a6VGDy7Iv3UnSW2IjDBLt1FH4vYiWrlPNHrMa im6AQb47B7QNU6+9NeWt774kOKysK80hT65cVCmzYQ==
X-Google-Smtp-Source: AGHT+IF5jAYv6iW8euO4CyfWVv2M9JkUPlJt6nO3J/4a0r7vCYugwaEvbFr5dm+Fc7vUmF5xSpymMNTHJEUixVc4y0Q=
X-Received: by 2002:a17:907:9805:b0:9ba:3af4:333e with SMTP id ji5-20020a170907980500b009ba3af4333emr11817356ejc.14.1699270654129; Mon, 06 Nov 2023 03:37:34 -0800 (PST)
MIME-Version: 1.0
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Mon, 06 Nov 2023 12:37:23 +0100
Message-ID: <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7f15d06097a4777"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tcHgqOhTeWU93Vva3hLfjlNECp8>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 11:37:39 -0000

Thanks for bringing this up. There are a bunch of (implicit) questions in
your e-mail.

1. Do we want rfc describing the final NIST standards? And for which? I'm
ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa.

2. For which algorithms do we want to assign codepoints once the NIST
standards are out? Codepoints are cheap and use cases/rules are different,
but especially with the hybrids, I'd encourage us to try to be disciplined
and keep the list as short as we can for now, so that early adopters for
which it doesn't matter, all choose the same thing. The DNS mechanism
of draft-davidben-tls-key-share-prediction helps on the performance side,
but it doesn't solve the duplicate engineering/validation if there are a
dozen essentially equivalent KEMs.

3. Do we want to standardise non-hybrid KEMs for TLS? I don't care for them
yet, but others might.

4. Do we need hybrid signatures for the TLS handshake? I don't see the use,
but could be convinced otherwise.

5. What is the future of AuthKEM? That's definitely a different e-mail
thread.

Concretely, after ML-KEM is finished, I was planning to update
draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint
for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design.

Best,

 Bas


On Mon, Nov 6, 2023 at 10:10 AM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi,
>
>
> NIST has released draft standards for ML-KEM, ML-DSA, and ML-SLH. Final
> standards are expected in Q1 2024.
>
>
> https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography
>
>
>
> I would like to have standard track TLS (and DTLS, QUIC) RFCs for ML-KEM
> and ML-DSA (all security levels standardized by NIST) as soon as possible
> after the final NIST standards are ready. 3GPP is relying almost
> exclusively on IETF RFCs for uses of public key cryptography (the exception
> is ECIES for IMSI encryption but that will likely use HPKE with ML-KEM in
> the future).
>
>
>
> Looking at the TLS document list, it seems severely lacking when it comes
> to ML-KEM, ML-DSA…
>
>
>
> The adopted draft-ietf-tls-hybrid-design is an informal draft dealing with
> the pre-standard Kyber.
>
> https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>
> AuthKEM is a quite big change to TLS
>
> https://datatracker.ietf.org/doc/draft-wiggers-tls-authkem-psk/
>
>
>
> This is not adopted, informal, and dealing with the pre-standard Kyber.
>
> https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/
>
>
>
> What is the TLS WG plan for quantum-resistant algorithms? My current view
> is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44,
> ML-DSA-65, and ML-DSA-87 registered asap. For hybrid key exchange I think
> X25519 and X448 are the only options that make sense. For hybrid signing,
> ECDSA, EdDSA, and RSA could all make sense.
>
>
>
> Cheers,
> John
>
>
>
> *From: *TLS <tls-bounces@ietf.org> on behalf of internet-drafts@ietf.org <
> internet-drafts@ietf.org>
> *Date: *Friday, 8 September 2023 at 02:48
> *To: *i-d-announce@ietf.org <i-d-announce@ietf.org>
> *Cc: *tls@ietf.org <tls@ietf.org>
> *Subject: *[TLS] I-D Action: draft-ietf-tls-hybrid-design-09.txt
>
> Internet-Draft draft-ietf-tls-hybrid-design-09.txt is now available. It is
> a
> work item of the Transport Layer Security (TLS) WG of the IETF.
>
>    Title:   Hybrid key exchange in TLS 1.3
>    Authors: Douglas Stebila
>             Scott Fluhrer
>             Shay Gueron
>    Name:    draft-ietf-tls-hybrid-design-09.txt
>    Pages:   23
>    Dates:   2023-09-07
>
> Abstract:
>
>    Hybrid key exchange refers to using multiple key exchange algorithms
>    simultaneously and combining the result with the goal of providing
>    security even if all but one of the component algorithms is broken.
>    It is motivated by transition to post-quantum cryptography.  This
>    document provides a construction for hybrid key exchange in the
>    Transport Layer Security (TLS) protocol version 1.3.
>
>    Discussion of this work is encouraged to happen on the TLS IETF
>    mailing list tls@ietf.org or on the GitHub repository which contains
>    the draft:
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c404f4af2592f2f4&q=1&e=367fabf2-370b-4cec-b657-05a8499decf6&u=https%3A%2F%2Fgithub.com%2Fdstebila%2Fdraft-ietf-tls-hybrid-design
> .
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-09.html
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-09
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email