Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt

"Kampanakis, Panos" <> Tue, 13 July 2021 04:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5E923A12A5 for <>; Mon, 12 Jul 2021 21:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.049
X-Spam-Status: No, score=-10.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W21SSSP_KcsG for <>; Mon, 12 Jul 2021 21:21:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D1BEC3A129C for <>; Mon, 12 Jul 2021 21:21:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1626150067; x=1657686067; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=n/L4sbwJ3WOq28RSGl+lb4AUDmKQx9THFQj8I/G+DIM=; b=cFhSlFcxfqlPu3EYCMjU2Ezajpqg3fLr2woBCXYPsAF4nfVxbqeBPIzw W1a3RXsX5Cm8Hkvp1fGUITLD15lnhzFRr3W66iC9VGkUXwrLBNY7FyfMn ZN7XPsUEdy/Xn+3aMa00VIk9ArLJAepN5Vo6kQfCtOiLjLHmi2zFvinSa Q=;
X-IronPort-AV: E=Sophos;i="5.84,235,1620691200"; d="scan'208";a="125018321"
Thread-Topic: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
Received: from (HELO ([]) by with ESMTP; 13 Jul 2021 04:19:57 +0000
Received: from ( []) by (Postfix) with ESMTPS id 1A6872800A2; Tue, 13 Jul 2021 04:19:57 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 13 Jul 2021 04:19:55 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 13 Jul 2021 04:19:54 +0000
Received: from ([]) by ([]) with mapi id 15.00.1497.018; Tue, 13 Jul 2021 04:19:55 +0000
From: "Kampanakis, Panos" <>
To: "Blumenthal, Uri - 0553 - MITLL" <>
CC: "<>" <>, Douglas Stebila <>, Eric Rescorla <>
Date: Tue, 13 Jul 2021 04:19:54 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Jul 2021 04:21:12 -0000

Hi Uri,

If we are talking NIST Level 5 (and I am assuming you are discussing mTLS), have you calculated the total CertVerify+cert chain sizes there assuming 2 ICAs let's say? 

And would constrained devices or mediums that sweat about 5KB really be able to support PQ KEMs and Sigs at NIST Level 5?

-----Original Message-----
From: TLS <> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: Monday, July 12, 2021 11:39 PM
To: Douglas Stebila <>om>; Eric Rescorla <>
Cc: <> <>
Subject: RE: [EXTERNAL] [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Let me emphasize the reasons Douglas brought up. Note that I need to use NIST Sec Level 5 algorithms. So, Kyber-1024 and Dilithium5 (other algorithms show even worse ratio between KEM and signature!).

Communications costs:
- Difference in public key sizes: 1568 bytes of Kyber vs. 2592 bytes of Dilithium => 1024 extra bytes to carry over channel each way;
- Signature: extra 4595 bytes each way, because in addition to exchanging certs (aka "signed public keys", which is inevitable) you need to sign the exchange and communicate that signature across;
- Total: 5619 extra bytes each way. For peer-to-peer broadband connections, you can say "so what?". But my links are *very* austere.

Computation costs (ballpark, on a powerful CPU):
- KEM: keygen 15us, encap 18us, decap 14us (say, double encap and decap for PFS-providing exchange);
- Signature: sign 113us, verify 55us;
- Comparison: 134us for signature-less KEM vs. 215us for TLS-like exchange => almost twice as long;
- Difference may be negligible for Intel Xeon, but for my much weaker hardware it matters.

So, for constrained environments with austere comm links, signature-less "authkem" is God-sent.
Big servers that need to support many clients (so they care how much CPU cycles and comm bytes they spend on every connection) would appreciate these savings too.

@ekr,I hope this provides convincing explanation why "authkem" is needed.

P.S. I know that Falcon has much more favorable sizes - but (a) it takes three times as long to sign, and (b) it uses FP calculations, which isn't great to implement in my environment.

There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare

On 7/12/21, 20:59, "TLS on behalf of Douglas Stebila" < on behalf of> wrote:

    Hi Eric,

    The main motivation is that, in some cases, post-quantum signatures are larger in terms of communication size compared to a post-quantum KEM, under the same cryptographic assumption.

    For example, the KEM Kyber (based on module LWE) at the 128-bit security level has 800-byte public keys and 768-byte ciphertexts.  The matching signature scheme Dilithium (also based on module LWE) has 1312-byte public keys and 2420-byte signatures.  Doing KEM-based server authentication rather than signature-based server authentication would thus save 2164 bytes per handshake.

    We would still need digital signatures for a PKI (i.e., the root and intermediate CAs would sign certificates using PQ digital signature schemes), but the public key of the endpoint server can be a KEM public key, not a digital signature public key.


    > On Jul 12, 2021, at 20:30, Eric Rescorla <> wrote:
    > Hi folks,
    > I have just given draft-celi-wiggers-tls-authkem-00.txt a quick
    > read. I'm struggling a bit with the rationale, which I take to be
    > these paragraphs:
    >    In this proposal we use the DH-based KEMs from [I-D.irtf-cfrg-hpke].
    >    We believe KEMs are especially worth discussing in the context of the
    >    TLS protocol because NIST is in the process of standardizing post-
    >    quantum KEM algorithms to replace "classic" key exchange (based on
    >    elliptic curve or finite-field Diffie-Hellman [NISTPQC]).
    >    This proposal draws inspiration from [I-D.ietf-tls-semistatic-dh],
    >    which is in turn based on the OPTLS proposal for TLS 1.3 [KW16].
    >    However, these proposals require a non-interactive key exchange: they
    >    combine the client's public key with the server's long-term key.
    >    This imposes a requirement that the ephemeral and static keys use the
    >    same algorithm, which this proposal does not require.  Additionally,
    >    there are no post-quantum proposals for a non-interactive key
    >    exchange currently considered for standardization, while several KEMs
    >    are on the way.
    > I see why this motivates using a KEM for key establishment, but I'm
    > not sure it motivates this design, which seems like a fairly radical
    > change to TLS. As I understand the situation, in the post-quantum
    > world we're going to have:
    > - non-interactive KEMs (as you indicate above)
    > - some sort of signature system (otherwise we won't have certificates).
    > This certainly argues that we need a KEM for key establishment, but
    > not for authentication. Instead, why can't we use signatures for
    > authentication, as TLS does today? I.e., the certificates would have a
    > (potentially post-quantum) signing key in them and you then use the
    > KEM for key establishment and the signing key for authentication.
    > That would give us a design much closer to the present TLS 1.3
    > (effectively just defining a new group for the KEM).
    > What am I missing?
    > -Ekr
    > _______________________________________________
    > TLS mailing list

    TLS mailing list