Re: [TLS] Updated AuthKEM drafts

On Tue, Nov 07, 2023 at 08:00:57AM +0100, Thom Wiggers wrote: > Hi Peter, > > The KEM used for authentication indeed needs to be IND-CCA secure, > but so does the KEM for ephemeral key exchange (IND-1CCA, at least). > The TLS key schedule should ensure that this all goes correctly, if > I recall

Re: [TLS] How to issue certs for draft-celi-wiggers-tls-authkem ?

Hi Mike, Yeah, this point is one that I hadn’t thought to bring up in the presentation, but that I also think is one of the things that will require pushing from both sides; as long as KEMs in certs are a niche use case, then we don’t have a lot of motivation to really start having these

Re: [TLS] Updated AuthKEM drafts

Hi Peter, The KEM used for authentication indeed needs to be IND-CCA secure, but so does the KEM for ephemeral key exchange (IND-1CCA, at least). The TLS key schedule should ensure that this all goes correctly, if I recall the discussion on the concatenation of the secrets and

Re: [TLS] [EXT] Re: What is the TLS WG plan for quantum-resistant algorithms?

> On 7 Nov 2023, at 0:29, Blumenthal, Uri - 0553 - MITLL > wrote: > > Do we want rfc describing the final NIST standards? And for which? I'm ok > with that — in this order of priority: ml-kem, ml-dsa, slh-dsa. > > Probably yes, and in the order you described. Sure, as long as by

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> On 6 Nov 2023, at 21:44, Watson Ladd wrote: > > > > On Mon, Nov 6, 2023, 10:07 AM Kris Kwiatkowski > wrote: >> So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 >> does not impact the curves permitted under SP 800-56Arev3. Curves that

Re: [TLS] [EXT] Re: What is the TLS WG plan for quantum-resistant algorithms?

Do we want rfc describing the final NIST standards? And for which? I'm ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa. Probably yes, and in the order you described. For which algorithms do we want to assign codepoints once the NIST standards are out? Codepoints are

Re: [TLS] Updated AuthKEM drafts

Sorry, the hybrid TLS draft I referenced should have been draft-tls-westerbaan-xyber768d00. I do realise they are different drafts with slightly different KEMs, I just can't copy and paste properly! Peter From: TLS On Behalf Of Peter C Sent: Monday, November 6, 2023 4:08 PM To: tls@ietf.org

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Mon, Nov 6, 2023, 10:07 AM Kris Kwiatkowski wrote: > So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 > does not impact the curves permitted under SP 800-56Arev3. Curves that are > included in SP 800-186 but not included in SP 800-56Arev3 are not approved > for key

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Mon, Nov 6, 2023 at 7:06 PM Kris Kwiatkowski wrote: > So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 > does not impact the curves permitted under SP 800-56Arev3. Curves that are > included in SP 800-186 but not included in SP 800-56Arev3 are not approved > for key

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 does not impact the curves permitted under SP 800-56Arev3. Curves that are included in SP 800-186 but not included in SP 800-56Arev3 are not approved for key agreement. E.g., the ECDH X25519 and X448 key agreement schemes

Re: [TLS] [EXTERNAL] Re: Adoption call for Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3

Likewise, I support adoption, willing to contribute text and implementation. Cheers, Andrei From: TLS on behalf of David Benjamin Sent: Monday, November 6, 2023 9:26 AM To: Joseph Salowey Cc: Subject: [EXTERNAL] Re: [TLS] Adoption call for Legacy

Re: [TLS] Adoption call for Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3

I support adoption and am willing to contribute text, but this is perhaps not surprising. :-) On Mon, Nov 6, 2023 at 12:25 PM Joseph Salowey wrote: > At the TLS meeting at IETF 118 there was significant support for the > draft Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3 >

[TLS] Adoption call for Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3

At the TLS meeting at IETF 118 there was significant support for the draft Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3 ( https://datatracker.ietf.org/doc/draft-davidben-tls13-pkcs1/01/) This call is to confirm this on the

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Mon, Nov 6, 2023 at 5:40 PM Kampanakis, Panos wrote: > > Concretely, after ML-KEM is finished, I was planning to update > draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint > for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design. > > > > Agreed, but I would

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

https://datatracker.ietf.org/doc/html/draft-tls-westerbaan-xyber768d00-03 defines the `X25519Kyber768Draft00` `NamedGroup` as 0x6399 https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-kyber-01 defines the `SecP256r1Kyber768Draft00` `NamedGroup` as 0x639A On Mon, Nov 6, 2023 at

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

I'm most interested in Level I which I think is what the current browser deployments have targeted. Higher security levels are much less relevant at least for now, and I think the platforms will likely look different. I think ML-KEM-768 codepoint and a hybrid one make sense to grab now: AFAIK

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> Concretely, after ML-KEM is finished, I was planning to update > draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint > for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design. Agreed, but I would suggest three (x25519-mlkem768, p256-mlkem768, p384-mlkem1024) to

Re: [TLS] Updated AuthKEM drafts

Thom, If I'm understanding things correctly, the proof of multi-stage security for AuthKEM requires that the KEM used for authentication is IND-CCA2 secure. Unfortunately, kem_x25519kyber768 from draft-westerbaan-cfrg-hpke-xyber768d00 is not IND-CCA2 secure. It simply concatenates the shared

[TLS] How to issue certs for draft-celi-wiggers-tls-authkem ?

Hi Thom, Your presentation today was good, but I just want to point out an elephant in the room that's missing from your slides: Public PKI is not currently equipped to issue KEM certificates because every cert enrollment protocol that I can think of uses CSRs at the bottom, and you can't sign

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Hi, > Op 6 nov 2023, om 14:24 heeft Tim Hollebeek > het volgende geschreven: > > I’m fine if the cocktail napkin says “we’ll either do A or B, we’re still > figuring that out”. I’m not sure if we will be able to say this as strictly as “A xor B”, we might need to do A and B in different

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

I’m fine if the cocktail napkin says “we’ll either do A or B, we’re still figuring that out”. What I’m trying to avoid is the situation where everyone has a different notional quantum-safe TLS design in their heads, but nobody realizes it because nobody has bothered to try to write down the

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> (3)-(5) are exactly the hard problems I’ve been thinking a lot about > lately. I’d actually be tempted to say that AuthKEM vs signatures is > something we should figure out ASAP. I read AuthKEM again this morning, > and it has a lot of attractive features, but I’m not quite sure what the >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

So, I was talking to Mike Ounsworth about similar issues at the PQC hackathon. I would like us to agree on what a cocktail napkin description of the desired PQC end state for all the affected protocols looks like. I think that would be very helpful, and this thread looks like it’s starting to

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Thanks for bringing this up. There are a bunch of (implicit) questions in your e-mail. 1. Do we want rfc describing the final NIST standards? And for which? I'm ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa. 2. For which algorithms do we want to assign codepoints once the

[TLS] Early IANA Allocations for draft-ietf-tls-dtls-rrc

Hi! After discussions with the authors of draft-ietf-tls-dtls-rrc, I would like to determine whether there is consensus to request two early code point assignments; see RFC 7120. One is for the return_routability_check content type and would go in the TLS ContentType registry and one is for the

Re: [TLS] 2nd WG Last Call for draft-ietf-tls-dtls-rrc

Hi! While drafting the Shepherd write-up, the authors agreed to pause the publication process until implementations arrived. 20204Q1 (maybe earlier) is the expected timeframe for implementations. But, those implemntations need code points. We are at the point where this I-D is stable (it has

Re: [TLS] Early IANA Allocations for draft-ietf-tls-esni

> On Oct 31, 2023, at 15:53, Sean Turner wrote: > > > >> On Oct 30, 2023, at 11:58, Sean Turner wrote: >> >> >>> On Sep 18, 2023, at 20:45, Sean Turner wrote: >>> >>> Hi! After discussions with the authors of draft-ietf-tls-esni, Joe and I >>> would like to determine whether there is

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> My current view is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, > ML-DSA-44, ML-DSA-65, and ML-DSA-87 registered asap What do you mean by ASAP? Would you like to get a TLS code-points for algorithms before they are standardised by NIST (hopefully around Q1/24)? Kind regards, Kris

[TLS] What is the TLS WG plan for quantum-resistant algorithms?

Hi, NIST has released draft standards for ML-KEM, ML-DSA, and ML-SLH. Final standards are expected in Q1 2024. https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography I would like to have standard track TLS (and DTLS, QUIC) RFCs for ML-KEM and ML-DSA (all security levels

Re: [TLS] Fwd: New Version Notification for draft-davidben-tls-key-share-prediction-00.txt

Yup, that's right! (Ah yeah, it was confusing to talk about key shares reflecting preferences because we might be talking about the relative order or which were included or omitted. I was thinking the latter since the relative order already comes from supported_groups. I.e. I was thinking of the