[TLS] Comments on draft-wagner-tls-keysharepqc-08.txt
Eric Rescorla <ekr@rtfm.com> Thu, 19 March 2026 20:10 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0C349CE1EB38 for <tls@mail2.ietf.org>; Thu, 19 Mar 2026 13:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Bws8H7RkC54 for <tls@mail2.ietf.org>; Thu, 19 Mar 2026 13:10:52 -0700 (PDT)
Received: from mail-yx1-xb135.google.com (mail-yx1-xb135.google.com [IPv6:2607:f8b0:4864:20::b135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2722BCE1EB31 for <tls@ietf.org>; Thu, 19 Mar 2026 13:10:52 -0700 (PDT)
Received: by mail-yx1-xb135.google.com with SMTP id 956f58d0204a3-64e9f9226a7so1090842d50.2 for <tls@ietf.org>; Thu, 19 Mar 2026 13:10:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773951045; cv=none; d=google.com; s=arc-20240605; b=LtgflY9tFKL9p8RG3hY73PBXXBkMYes1p4WKbOWOjS9fDtgxK9cgGDG3rAhssVcxYA +ImbbCfV5LKvhIbYwtmMaSQqy1bNrZUjnBdMaiwKQ2XVRJPo1o2JxLQMOxOWqzyJG+O1 oqdCEhPP4RXvehG/jeQTxrk0htIYFjs9a6oV8LFiAL4XTs7pk2iqdv/Nu+aSjuXzeo64 5XZ7fZwmN7RhJVBzgYdIWU1kZNaZywESHZfpc7adkF6KUvFSVvqRqYOhpowRx5GcNMAd Tx9W6psRPeas2faxnMYGHkvvYo3vyHt2kE49U/5+mHfB0MpG5q5oAKmy2LYij1TISkFz HWsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=qEaadQS2wgpArRYavDc9+wcOk/0AgPluTDcxhOrNFA0=; fh=6dNaabedNczh5TXKCP3vnXRLFdmtidwzU4uB2XwvFYI=; b=MeobS+3y5YIE1q8gGBAPTuUD+tlnDRCadfO6ZoXP6Q3vKmwEvh26FFL6dxFMVfOHs8 RUS8ZLdMZoPGcSS41d3JOmQTx76BpnNYuV8xapPvBCc9UitUtppAvZfNw2D9ydJ62+zj AlXUbLtUit2HTsNDQK8IwdhueU/xC4y6ByBsb2KWHyrJIFP0rtA97dUGTA8pxOZiNJVX uh//sHwFgn07L4BoXiH3+DuxmdhIGNN+RYJcazIi7sEq0czbf944hY8lqIP+BgvpK7/p l0CuPNJratMy/qZK0cqHNUc1Mw5XdIPR0LIqdo01MW5TeSVSZjapA85yCH0i9x1BXTt3 EefA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1773951045; x=1774555845; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=qEaadQS2wgpArRYavDc9+wcOk/0AgPluTDcxhOrNFA0=; b=eS3xRLE7DuFA8Zi5kGB/HhIag2yDNBctPgiMbjXih52qjTOYogZQ32ZY60pgvgZTVg nJK2IHBunadw4DbF2jw3o4Rj5vc9++yOTdxWkFu63RvclHUSBtfAK+soUUTbSyNKJj29 S+QgqO/mwaeB59JfXdT2V9aV1x+YvLwN0gwwCYoMipgmlMxrF1MVshXe82atbVo0KqK3 pUZUA7+9FJRFQzCzUZ9qXhaktnPgBJHNKJZsERnUQTbQ146JJ3SXkyUX0plO8dop4GLa nvMWi66muHF6mFwuhJnFLk20OhLAQWfz0sVdMd6wd6XfF6vIe4TxqDfkb9WhTCCzi5+h 2JGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773951045; x=1774555845; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qEaadQS2wgpArRYavDc9+wcOk/0AgPluTDcxhOrNFA0=; b=IIVQYqTnnv5NsKPTs1KiH6XfjkHqfzl10TrpPmZ5+i2PoTslyRl8h+PddZUCCQ5dY1 1mUi77zVwpVliN/IMVckCOCv6TB6DZrotzq1rSGCOMjtevXxjqX3eKlmaSwWpAL5Hx/n 4nq5zBB0v94vPnGpkng9JKzpcoveWlHe0XnXCay5Z46XN+1YpYTe4TJulU1H6nXpBd7K NWaQ5VZ5YIAMyZRgGkJZEWHu+FI5p6gi5ASHAqYxazv+T4l+6TCY8d32hh1XsvPd7M4x idcL42YxdtdK5K4o8Ewe6Gqg0T05iy4GP9Dxm15Dht5Fz2V894813krVY1pG26i/NSbq SMcQ==
X-Gm-Message-State: AOJu0YxAMvJWRXgy0chhqytFbI0fYcRMSFA60+80DkDBchKMfZH/scnl Rymfh4YmkE1S5ohEYQWV574wXR/RQB9poFL70dwC/PmRz3W4J1NXOS1x9sjdaE2u3irXbVytKx+ EnLwFqBlDGBZVNa+ZBuWYZkyubZaCkjlJd0LyOzdISKSBeSxJZ0o81hdpaQ==
X-Gm-Gg: ATEYQzw75qsiw2V4x62kpywsdIwhn+dD6gALrofHoIFwywVvOFC+XrO1eG+CwPGuhL5 FUOVoPn0VuXcwB+IgHlooaRGDdKe+X+4d/GBwX4ZonWLSDBBzrot/9Cv95t78Wyeu47y61pofgG zQfABZpbPmXSoVLvR2YgKB7Mf6krqeorZhEmj/6lBXaDz2qCUETg4/DTzQsyxKoy9ZUK90dQ7Fd pK3sBFV/cc48pg881/3/+o1ejDCAoDu4LC8obEJyMmyAx157N+N8BcyOEuUvMYyfTvNjqx4Nv3P WbiCm6t12mhAw8xN0L1V8sK/1IWorARXTSubUmvv36j6rZ8HCPevHjexvXJoX6qXCVoCe1cDWfp 5iHfzv2xV12auM2eHEagtHA==
X-Received: by 2002:a05:690e:1914:b0:64e:9d51:87d1 with SMTP id 956f58d0204a3-64eaa6a1fcamr998513d50.7.1773951045306; Thu, 19 Mar 2026 13:10:45 -0700 (PDT)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 19 Mar 2026 13:10:09 -0700
X-Gm-Features: AaiRm53UwMyRxjavaIJjvAyArwrlUyZuhIpD74FSOa1tmIxPhJAgyzu7U5jW9Io
Message-ID: <CABcZeBPFtnS_bOmfNUpyjPLTZyiRsqp0OvQ-3zErdDeAfofKoQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e7981f064d66299e"
Message-ID-Hash: 6Y53UU4TKOQEMBRAXUKAYEPMMRX6JRL3
X-Message-ID-Hash: 6Y53UU4TKOQEMBRAXUKAYEPMMRX6JRL3
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Comments on draft-wagner-tls-keysharepqc-08.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yL5ookw8YwbBBrue5GycWRrN4wE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Document: draft-wagner-tls-keysharepqc-08.txt
Thank you for sending this draft.
I am ambivalent on whether it is actually important for TLS to support
PQ algorithms with keys > 64KB. I think it's clear that the
performance implications would be quite bad in many cases (e.g., the
Web), though perhaps there are some environments where it doesn't
matter. I understand people might be concerned about ML-KEM, but there
are other alternative PQ algorithms that do not have quite so dire
performance properties.
However, if we are to do so, I do not believe that any of the
proposals you have here work very well. As you note in your
introduction, there are two size limits in play here:
1. The maximum size of a HandshakeMessage (2^24-1)
2. The maximum size of an extension (2^16^1)
3. The maximum collective size of all the extensions (also 2^16-1)
I don't think that the HandshakeMessage size is really relevant, as
algorithms with keys that exceed 16MB are not likely to be
practical. The basic problem here is the maximum collective size of
the extensions [0]. As a result, it is simply not possible for a
client to transmit more than about 64K of material in its initial
ClientHello and also have it be compatible with existing servers. IMO,
the right approach is to address this head-on, as follows:
1. Modify the ClientHello format to remove the limit.
2. Have a way for the client to learn it can use the new ClientHello
format.
The fix for (1) is straightforward: replace some if not all of the
variable-length vectors with fixed limits with ones with
variable-length limits as in MLS's `T<V>` syntax (see RFC 9420 S
2.1.2). Once you have done this, then you can just naturally carry
arbitrarily large extensions. We can discuss whether this would be a
global replacement (all vectors) or a targeted one
("large_extensions").
The first of these is obvious, so let's focus on the second. The
natural way to do this is with HRR. In particular, the idea would be
to create a new extension that indicated that you supported the new
format. For concreteness, say we use the "large_extensions" extension,
which just redefines Extensions as:
struct {
ExtensionType extension_type;
opaque extension_data<V>;
} Extension;
and then the various extensions fields as:
Extension extensions<V>;
The semantics of the large_extensions extension are that the client
offers it and if the server accepts it, future messages use the new
format. The resulting handshake looks like this (with some fields
elided):
Client Server
ClientHello
+ large_extensions
+ supported_groups[X25519, McEliece]
+ key_share[X25519] -------->
HelloRetryRequest
+ large_extensions
+ supported_groups[McEliece]
ClientHello (large extensions version)
+ large_extensions
+ supported_groups[X25519, McEliece]
+ key_share[McEliece] -------->
...
This fits naturally into our existing pattern and reflects the fact
that you can't safely send the big key share in the first message
anyway, and you most likely don't want to if you don't know the other
side supports it because it's a waste of bandwidth. Moreover, because
it's a generic solution, you don't need to change anything else.
It's slightly irritating that even if you know that the server
supports large extensions you can't just start out with that. I think
that's a problem we could figure out how to solve if we really had to,
but TBH I doubt it's worth it because you're already absorbing
a bunch of round trips. It *might* be worth it for ECH, but I'd
want to see some evidence that ECH was really going to exceed 64K.
As an aside, I think the material in S 3.1.1 about changing
PskKeyExchangeMode
is misguided. The right approach is just to treat these PQ algorithms
as if they were DH and overload psk_dhe_ke.
-Ekr
[0] Were the problem the individualized size of extensions, we could
split things up between extensions.
- [TLS] Comments on draft-wagner-tls-keysharepqc-08… Eric Rescorla
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Valery Smyslov
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Eric Rescorla
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Kampanakis, Panos
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… David Benjamin
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Martin Thomson
- [TLS] Re: [EXT] Re: Comments on draft-wagner-tls-… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: Comments on draft-wagner-tls-… Eric Rescorla
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Valery Smyslov
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Valery Smyslov
- [TLS] Re: [EXT] Re: Comments on draft-wagner-tls-… Loganaden Velvindron
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Eric Rescorla
- [TLS] Re: Comments on draft-wagner-tls-keysharepq… Loganaden Velvindron