IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Deirdre Connolly <durumcrustulum@gmail.com> Wed, 06 March 2024 16:49 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9810CC14F5F5 for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 08:49:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.854
X-Spam-Level:
X-Spam-Status: No, score=-6.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImfAUlPjhKTh for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 08:49:52 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD47EC14F5FE for <tls@ietf.org>; Wed, 6 Mar 2024 08:49:52 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-565d1656c12so1995119a12.1 for <tls@ietf.org>; Wed, 06 Mar 2024 08:49:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709743791; x=1710348591; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DbXLbNTBK6ze/sSbYvJtBu6dNTxZHELhjLWs7gjiLbI=; b=OCYd1Vm5ZLQTTTZzaWKoRC/azuIfA+RfUZ6pT5QeqKwdn4VE6hAsVuk0hvWiFnlc+I jlR+VJbRWyB+AVrR74pvBGRePPaJ43G3W1wv5NIz5cWNAb+j5vCzjSzNkos0s2G4+CnD 32tuXOkzg/VVjEGWcKG4YhIIXYFHUIg8bOlePmsfWCkhj2QFnfRLNRKLmVujyWjQmy6V f4O6s6f2s0S6eF+S92sI9aSb8yA0d/4yyVTcVR7lywWL63BHZwaiZERhPWkvCjdxl66L ifAYQIlFWhA9fNKc2U1kCsu7I1r8XMcgw7MCt1TuJdseqDH5w8xxGQN+bi7Gq7sb3TOJ M+EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709743791; x=1710348591; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DbXLbNTBK6ze/sSbYvJtBu6dNTxZHELhjLWs7gjiLbI=; b=K/VJkT1/hzb+aOS9PXIM36TFUq5re7R/Mp5REcgm/CauaLBknL4HPupHGdyajt8OFw ZuDnBJETdwaGlCPyDaHlIFf3mxkD385WmOkUphxKaD99a3alwjr1d2CaVz4e0UA4rAZj kFiMf0Orlwy8tgmUh7zM3+gKvAaqiyWxQtLQlporFDOoMR+kPx1JFhDra83RHvSRqkiG vP9PLlvvn3m2at/xHnm7Na8nK03ZVw15nXbwVQyyoomt+pNOtCKel0UmuuiPbz+lMwjL W8NdL5N6kfzz/BL3LjIVFqaS0St47228ET3st9BwTr9JqbQhFHiDA3Pg+7qiR5WPH3IY G57Q==
X-Gm-Message-State: AOJu0Yyqsz8XqzpriFiASTvR6BxExJXMYqoY29fS06Zprgnlp5JyvMWC ZCEXf79aU824C0Yc8kQ7KWkBrEFDUKC2/vuLN2D2MZZXxkKoD0HU40G2wvY3b35JwBFYS5JNM77 LG5JhljhT41qd4Ra9E4yJef7kvbM=
X-Google-Smtp-Source: AGHT+IH53DmKky5utwmtsKFc2xCbBNq4m0DV+5vdu2+fDQYZ+lhuGCb6k3gTtx7CKDxEuNzPoDprcLw5QSgQAHXWzEU=
X-Received: by 2002:a05:6402:214e:b0:566:59a2:7a10 with SMTP id bq14-20020a056402214e00b0056659a27a10mr6088556edb.1.1709743790325; Wed, 06 Mar 2024 08:49:50 -0800 (PST)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <CABcZeBPFidzshG2ZM0+JKc73prvan4_FWTTr6r1byxAeXkkcOw@mail.gmail.com>
In-Reply-To: <CABcZeBPFidzshG2ZM0+JKc73prvan4_FWTTr6r1byxAeXkkcOw@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Wed, 06 Mar 2024 11:49:13 -0500
Message-ID: <CAFR824zbHgwCcHi6C7SATP5q0M7N7rYAjHXt9pGAnK=KDJCJhA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004789bf061300bfac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qFRxBSnEPJcdlt7MO0cIL2kW5qc>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 16:49:56 -0000

> Can you say what the motivation is for being "fully post-quantum" rather
than hybrid?

Sure: in the broad scope, hybrid introduces complexity in the short-term
that we would like to move off of in the long-term - for TLS 1.3 key
agreement this is not the worst thing in the world and we can afford it,
but hybrid is by design a hedge, and theoretically a temporary one.

In the more concrete scope, FIPS / CNSA 2.0 compliance guidelines
<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF>
currently are a big 'maybe' at best for 'hybrid solutions', and the
timetables for compliant browsers, servers, and services are to exclusively
use FIPS 203 at level V (ML-KEM-1024) by 2033. I figure there will be
demand for pure ML-KEM key agreement, not hybrid (with no questions that
come along with it of whether it's actually allowed or not).

Relatedly, the currently adopted -hybrid-design
<https://dstebila.github.io/draft-ietf-tls-hybrid-design/draft-ietf-tls-hybrid-design.html>
outlines several combinations of ECDH and KEM, and allows computing the
ECDH share once and sharing it between an ECDH share and a hybrid ECDH+KEM
share, but there is no equivalent for just using a KEM on its own, and
computing its shared secret once and advertising it as both standalone and
in a hybrid share. So I think defining these standalone ML-KEM
`NamedGroup`s also 'draws the rest of the owl' implied by -hybrid-design.

On Wed, Mar 6, 2024 at 10:12 AM Eric Rescorla <ekr@rtfm.com> wrote:

> Deirdre, thanks for submitting this. Can you say what the motivation is
> for being "fully post-quantum" rather than hybrid?
>
> Thanks,
> -Ekr
>
>
>
> On Tue, Mar 5, 2024 at 6:16 PM Deirdre Connolly <durumcrustulum@gmail.com>
> wrote:
>
>> I have uploaded a preliminary version of ML-KEM for TLS 1.3
>> <https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/>
>> and have a more fleshed out
>> <https://github.com/dconnolly/draft-tls-mlkem-key-agreement> version to
>> be uploaded when datatracker opens. It is a straightforward new
>> `NamedGroup` to support key agreement via ML-KEM-768 or ML-KEM-1024, in a
>> very similar style to -hybrid-design
>> <https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/>.
>>
>> It will be nice to have pure-PQ options (that are FIPS / CNSA 2.0
>> compatible) ready to go when users are ready to use them.
>>
>> Cheers,
>> Deirdre
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>

v2.39.1 | Report a Bug | By Email | System Status