[TLS] Re: PQ Cipher Suite I-Ds: adopt or not?

[Rob Sayre <sayrer@gmail.com>]

Hi all, since I am still on the CC list,

I took the question to be about how to organize the work. If everything is
a priority, there are no priorities.

That's why I want to do this one (and only this one), first:
https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/

Some of the other ones look like they could benefit from waiting, in the
sense that contentious points might resolve themselves over time.

thanks,
Rob

On Mon, Dec 23, 2024 at 11:00 AM Scott Fluhrer (sfluhrer) <
sfluhrer@cisco.com> wrote:

> TL;DR: Historical notes: not important for the current discussion.
>
>
>
> To be clear about whether Cisco (or actually, me – I don’t actually speak
> for Cisco, but I like to think they listen to my advice) preferred NTRU or
> NTRU Prime – I actually didn’t have a strong opinion.  I advocated NTRU
> because it made it to round 3 (rather than stopping at round 2 as NTRUPrime
> did), and so it appeared to be a bit more mature (that is, having more
> cryptanalysis).  If there was a general consensus towards NTRU Prime, we
> would have happily gone along.
>
>
>
> Other than that, John summarized the situation well – Cisco (or actually,
> Cisco’s lawyers) are happy with how the IPR issues around ML-KEM were
> resolved and are going forward with that (with both pure and hybrid).
>
>
>
> *From:* John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
> *Sent:* Monday, December 23, 2024 9:02 AM
> *To:* Loganaden Velvindron <loganaden@gmail.com>; Rob Sayre <
> sayrer@gmail.com>
> *Cc:* TLS List <tls@ietf.org>
> *Subject:* [TLS] Re: PQ Cipher Suite I-Ds: adopt or not?
>
>
>
> The thread starts with “Due to this, Cisco has preliminarily considered
> Kyber unusable”
>
> This is obviously not true anymore as Scott very clearly stated that Cisco
> wants to see both hybrid and non-hybrid ML-KEM standardized, and that they
> want to implement and ship both. I agree with Scott. Also, I think Cisco
> was quite clear on that if the IPR uncertainties regarding ML-KEM was not
> addresses, which they were, they wanted NTRU, not NTRU Prime
> https://datatracker.ietf.org/doc/html/draft-fluhrer-cfrg-ntru-01
>
> Mozilla is obviously shipping ML-KEM in Firefox. I am an avid user of
> Firefox, and I am happy to see X25519MLKEM768 on more and more webpages.
>
> Cheers,
> John
>
>
>
> *From: *Loganaden Velvindron <loganaden@gmail.com>
> *Date: *Monday, 23 December 2024 at 02:56
> *To: *Rob Sayre <sayrer@gmail.com>
> *Cc: *TLS List <tls@ietf.org>
> *Subject: *[TLS] Re: PQ Cipher Suite I-Ds: adopt or not?
>
> If there are some patent concerns regarding ML-KEM going forward, Would
> considering NTRU-Prime as a less risky option for TLS Kex?
>
> (Please see this thread:
>
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscourse.mozilla.org%2Ft%2Fpatent-license-for-kyber%2F128114&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb49fe1a69fb24e159b5808dd22f5004a%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638705157893766686%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Fi1LM1Q49lgZfAwBOQf5HhvEXZccY%2Bjk9VXHg6yHEaU%3D&reserved=0)
> <https://discourse.mozilla.org/t/patent-license-for-kyber/128114>
>
> There is a section about patents here:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntruprime.cr.yp.to%2Fwarnings.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb49fe1a69fb24e159b5808dd22f5004a%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638705157893782148%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=T%2B2Ggx2ZxAV%2BCwqSvtrUlptlGHO9iYCFpCYf4Cq3xlA%3D&reserved=0
> <https://ntruprime.cr.yp.to/warnings.html>
>
>
> On Tue, 17 Dec 2024 at 02:53, Rob Sayre <sayrer@gmail.com> wrote:
> >
> > Hi,
> >
> > I only support an adoption call for this one:
> >
> >
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-kwiatkowski-tls-ecdhe-mlkem%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb49fe1a69fb24e159b5808dd22f5004a%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638705157893792936%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=D3lsZ10f5cHom9RHdadaPqHt0bSWb6Q6Cz53MBbq1PM%3D&reserved=0
> <https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/>
> >
> > The other ones seem like they could wait, carefully noting that
> postponement is not a "no" vote.
> >
> > thanks,
> > Rob
> >
> >
> >
> >
> > On Mon, Dec 16, 2024 at 2:21 PM Martin Thomson <mt@lowentropy.net>
> wrote:
> >>
> >> On Tue, Dec 17, 2024, at 08:59, Sean Turner wrote:
> >> > Is the WG consensus to run four separate adoption calls for the
> >> > individual I-Ds in question?
> >>
> >> I would like to see adoption calls for the key exchange modes and not
> the signature modes.  The key exchange documents are both more ready and
> more urgent.
> >>
> >> The question of whether to set Recommended = Y for any particular
> choice is separable and can wait.  Keep things as Recommended = N for now.
> >>
> >> _______________________________________________
> >> TLS mailing list -- tls@ietf.org
> >> To unsubscribe send an email to tls-leave@ietf.org
> >
> > _______________________________________________
> > TLS mailing list -- tls@ietf.org
> > To unsubscribe send an email to tls-leave@ietf.org
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>