[TLS]Meta deploying -hybrid-design
Deirdre Connolly <durumcrustulum@gmail.com> Mon, 12 August 2024 16:49 UTC
Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9073EC18870B for <tls@ietfa.amsl.com>; Mon, 12 Aug 2024 09:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.855
X-Spam-Level:
X-Spam-Status: No, score=-6.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YK8UtSdR61Ko for <tls@ietfa.amsl.com>; Mon, 12 Aug 2024 09:49:33 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB4C1C180B75 for <tls@ietf.org>; Mon, 12 Aug 2024 09:49:33 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-5b7b6a30454so5166817a12.2 for <tls@ietf.org>; Mon, 12 Aug 2024 09:49:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723481371; x=1724086171; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=57gOCwURd7bIeXmVgy2oJiKNJ6ylRx6yPe+pbObDM1U=; b=bYVIlVAD0tBNlWFzsCIlcLGY+s4hRq2lH74hVi7y130rdom9i1iuLxx0Vnss06fRBQ CCk6BKpC3Ne3NL7rk1xJ6QhrkiVYn/ZNnLTz82S8/yyZ0V2/1mUirb7GDUWG5hAwjy4D HDisJON3UQsYVSLWIquzAlbQa1uF5/QOr2HkyzbVyZ6XRcTSTvwDoD8aiBqJjU66QZRP KKAs6sDt8OleJAVbHh4qm1NadQ6/rwrVgREyThnUEcsTPfBFrn6YYn1qK8CKtmBMkxaX /WBB7HQ1G6cLo76F4OC0R7tavAVVaoGq2jU7IAyn19vSg3ra0yPLKwYDZVW0XV3XI/c0 csHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723481371; x=1724086171; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=57gOCwURd7bIeXmVgy2oJiKNJ6ylRx6yPe+pbObDM1U=; b=jQuJX7cWXchHoESepsb8n7F4N9iZ4TTVgUA/SGeeHw+7+lIXXpwb/kLF//LWy2jZtC mA/+GfRmCK/QqUrBmNlT7G2a2Nb2qqpNksfU3UA/ztsmByw0EWl76VlVUnM6bHJTWXjW 68/03v92FoXXdfNxMJ4/PUkflJLqetOdDTOn6Gyp1U+OSjdJXCwR66RhwYKeOxYbJpeg Mm95Kuvffm3YAv+KOZz+AztwbsWk94XBHnDx34gSTnucpPn7vXFBuQvwjvPVLO1qn5P5 nbVSW1Fbz96FmtHYx7c/NFqnBanD2lJI4e3DrBJ4n48DzstvTfSkjPvJ+P8tRB72hXTe 87Nw==
X-Gm-Message-State: AOJu0Yzl2H7UK6ALRl/51u4niOFRNxaYc0QIgSp/n63RQsQ6qADPI/P5 6evzpEzsWklAfJSvLRVAqONOdx4FaGAk8TwjTUZvv1zeB5wpOY9NF4jzbQWTacokHRnpviz2f7d /8oq+diMFgaAGYHKekXjhc/NQoqM11g==
X-Google-Smtp-Source: AGHT+IFHL7zSAQ5NP3RGDNec4So8rw6TkMn6hMT4m0Ag2G20tS6lYZo9D3JqeOiR2Ba7fUEsYfc52X6CbdmV2pHa3jo=
X-Received: by 2002:a05:6402:280d:b0:5bb:9b09:8c7d with SMTP id 4fb4d7f45d1cf-5bd44c6bcd6mr645138a12.24.1723481370769; Mon, 12 Aug 2024 09:49:30 -0700 (PDT)
MIME-Version: 1.0
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Mon, 12 Aug 2024 12:49:19 -0400
Message-ID: <CAFR824xj7tkQObS3QBrxm36THCRqBjm1KDjpgZpu3Ay-0HHzgg@mail.gmail.com>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e1bff2061f7f464b"
Message-ID-Hash: QDPLAMUSTOPDTUAIWA5VP4W6TZC7QH3K
X-Message-ID-Hash: QDPLAMUSTOPDTUAIWA5VP4W6TZC7QH3K
X-MailFrom: neried7@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Meta deploying -hybrid-design
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yk6LKSgvYg20Nxk-y_W6ZzQYH1I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Starting with internal connections: https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/ > For our deployment, we have chosen Kyber with X25519 in a hybrid setting. Kyber is the only key encapsulation mechanism selected by NIST for standardization so far. Kyber comes in different parameterizations: Kyber512, Kyber768, and Kyber1024. Larger parameterizations provide stronger security but also require more computational resources and communication bandwidth. We aim to use Kyber768 by default, while using Kyber512 in some cases where larger parameterizations lead to prohibitive performance impact, to accelerate the deployment of PQC hybrid key exchange. Challenges include large packet sizes: > After evaluating various alternatives and workarounds, and given the prohibitive key size of Kyber768, we opted to use Kyber512 in internal communications affected by this problem for now, allowing us to accelerate the PQC deployment. Kyber512’s 800-bytes-long public keys help with fitting the ClientHello into a single TCP packet, while still being considered secure by NIST. This choice ensures both security and efficient communication. In the future, an increase in MTU, or utilizing QUIC, which allows for multiple initial packets, may allow for larger ClientHellos without an additional round trip. and cross-domain session resumption handshake thrashing: > As previously mentioned, we do Ephemeral Diffie-Hellman key exchange on resumption. To facilitate efficient use of computation resources, the client will send only the minimally required default keyshares, which in the resumption case means the keyshare for the previously negotiated named group. This means that when a client connects to a particular server and negotiates a classical named group, then subsequently resumes on a server with which the client should use a hybrid named group, the client would advertise the hybrid named group but send only the keyshare for the classical named group. This leads to the server negotiating the hybrid named group and replying with a HelloRetryRequest to ask the client for the hybrid keyshare, resulting in an additional 1-RTT to perform the key exchange. > To address this, we had the client split each service into different TLS session scopes – one using classical key exchange, and one using hybrid key exchange. Each session scope thus uses only one named group each, avoiding the keyshare thrashing behavior described above. The tradeoff is space consumption due to having to store more session tickets, but this has been acceptable given the small size of each session ticket (a few hundred bytes). They also included more in-the-wild data on Kyber768 computational costs: > Meta currently uses X25519 in Elliptic Curve Diffie-Hellman key exchange. During the initial rollout of hybrid key exchange with the hybrid named group X25519_kyber768, we observed a roughly 40 percent increase in CPU cycles. Although this may seem like an undesirable result, it actually indicates that Kyber768 standalone key exchange is faster than x25519, which lines up with results others have found.
- [TLS]Meta deploying -hybrid-design Deirdre Connolly
- [TLS]Re: Meta deploying -hybrid-design Martin Thomson
- [TLS]Re: Meta deploying -hybrid-design Kyle Nekritz