IETF Logo Mail Archive

[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

"D. J. Bernstein" <djb@cr.yp.to> Sun, 09 March 2025 23:17 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C66E596C9DF for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 16:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ArtJWxRtyH7v for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 16:17:24 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 1A2F396C9DA for <tls@ietf.org>; Sun, 9 Mar 2025 16:17:24 -0700 (PDT)
Received: (qmail 21267 invoked by uid 1010); 9 Mar 2025 23:17:23 -0000
Received: from unknown (unknown) by unknown with QMTP; 9 Mar 2025 23:17:23 -0000
Received: (qmail 335052 invoked by uid 1000); 9 Mar 2025 23:17:10 -0000
Date: Sun, 09 Mar 2025 23:17:10 -0000
Message-ID: <20250309231710.335050.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <Z82aAuvLY1tiDxbQ@chardros.imrryr.org>
Message-ID-Hash: NRKPEH3OCIN3RPXH2D7O5XREVGFCXB2H
X-Message-ID-Hash: NRKPEH3OCIN3RPXH2D7O5XREVGFCXB2H
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xORZepKr772112lXcQkRq6ED8cQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Viktor Dukhovni writes:
> However, you'll be thrilled to learn that it is not possible for a TLS
> server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral
> ML-KEM keyshare.

"Not possible"?

In ECDH, or more precisely ElGamal encrypton: Alice sends A = aG; Bob
sends B = bG and C = bA+M; Alice recovers M as C-aB.

In Kyber, Alice sends G and A = aG+e; Bob sends B = Gb+d and C = Ab+M+c;
Alice recovers M by rounding C-aB.

Bob can save time by reusing b. The speedup isn't as big as in the ECDH
context if Alice chooses fresh G and A, but there's still _some_
savings, notably the time to prepare b for multiplication.

I'm not saying that this is safe. I'm saying that it's what will happen
if Bob is looking for the best speed that interoperates. It can also
happen by accident, of course.

---D. J. Bernstein

v2.29.0 | Report a Bug | By Email | System Status