Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

or > algorithm.” > > I agree with that. > > Cheers, > John Preuß Mattsson > > > > From: TLS mailto:tls-boun...@ietf.org>> on behalf of > Sophie Schmieg <mailto:sschmieg=40google@dmarc.ietf.org>> > Date: Thursday, 9 November 2023

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Sophie Schmieg writes: > NTRU being chosen for non-security related criteria that have since > materially changed. I recommend discussing the patent issues explicitly, including public analysis of the patent threats. For example, Yunlei Zhao in

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Thursday, 9 November 2023 at 12:28 To: Scott Fluhrer (sfluhrer) Cc: John Mattsson , Sophie Schmieg , tls@ietf.org Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? There are several documents in a cluster that define new hybrid `NamedGroup`s and how those operate /

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

ngineering decision, given the right > negotiation mechanism), but if it delays actual deployment, I would prefer > if we didn’t. > > > > *From:* TLS *On Behalf Of *John Mattsson > *Sent:* Thursday, November 9, 2023 3:48 AM > *To:* Sophie Schmieg ; tls@ietf.org > *Subject:* Re: [

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

er 2023 at 08:40 To: tls@ietf.org<mailto:tls@ietf.org> mailto:tls@ietf.org>> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > On 8 Nov 2023, at 8:34, Loganaden Velvindron > > mailto:logana...@gmail.com>> wrote: > > > > I

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Thu, Nov 09, 2023 at 08:48:07AM +, John Mattsson wrote: > > Everybody seem to agree that hybrids should be specified. Looking in > my crystal ball, I predict that registering hybrids as code points > will be a big mess with way too many opinions and registrations > similar to the TLS 1.2

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

in my opinion the superior algorithm.” I agree with that. Cheers, John Preuß Mattsson From: TLS on behalf of Sophie Schmieg Date: Thursday, 9 November 2023 at 08:40 To: tls@ietf.org Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > On 8 Nov 2023, at 8:34, Logana

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> > On 8 Nov 2023, at 8:34, Loganaden Velvindron wrote: > > > > I support moving forward with hybrids as a proactively safe deployment > > option. I think that supporting > > only Kyber for KEX is not enough. It would make sense to have more options. > > > > Google uses NTRU HRSS internally: > >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Agreeing on security gains from hybrid. Should TLS ask CFRG (again?) what to do about PQC? > From: D. J. Bernstein > > Yoav Nir writes: > > To justify a hybrid key exchange you need people who are both worried > > about quantum computers and worried about cryptanalysis or the new > >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> On 8 Nov 2023, at 8:34, Loganaden Velvindron wrote: > > I support moving forward with hybrids as a proactively safe deployment > option. I think that supporting > only Kyber for KEX is not enough. It would make sense to have more options. > > Google uses NTRU HRSS internally: >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

John Mattsson writes: > NIST does not deserve any criticism for continuing to evaluate SIKE. The NIST actions that I quoted go far beyond "continuing to evaluate SIKE". NIST explicitly pointed to SIKE as part of its official rationale for throwing away FrodoKEM and delaying a decision on Classic

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

o: tls@ietf.org Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? Yoav Nir writes: > To justify a hybrid key exchange you need people who are both worried > about quantum computers and worried about cryptanalysis or the new > algorithms, but are willing to bet that those

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> Sent: Monday, November 6, 2023 2:44 PM > To: Kris Kwiatkowski > Cc: Bas Westerbaan ; TLS List > > Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > > > Why do we need FIPS hybrids? The argument for hybrids is that we don't

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

issuance, I think a SIGMA-I mode with signatures would still be needed. Cheers, John From: Bas Westerbaan Date: Monday, 6 November 2023 at 12:37 To: John Mattsson Cc: TLS@ietf.org Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? Thanks for bringing this up

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Yoav Nir writes: > To justify a hybrid key exchange you need people who are both worried > about quantum computers and worried about cryptanalysis or the new > algorithms, but are willing to bet that those things won’t happen at > the same time. Or at least, within the time where the generated

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Westerbaan ; TLS List Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? For signatures or keys in something like a certificate, I understand how you would want to have both the PQ and classical keys/sigs in the same structure, so satisfy those who want the classical algorithm

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

November 6, 2023 2:44 PM > To: Kris Kwiatkowski mailto:k...@amongbytes.com>> > Cc: Bas Westerbaan <mailto:bas=40cloudflare....@dmarc.ietf.org>>; TLS List <mailto:TLS@ietf.org>> > Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Behalf Of Watson Ladd Sent: Monday, November 6, 2023 2:44 PM To: Kris Kwiatkowski Cc: Bas Westerbaan ; TLS List Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? Why do we need FIPS hybrids? The argument for hybrids is that we don't trust the code/algorithms that's new

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> On 6 Nov 2023, at 21:44, Watson Ladd wrote: > > > > On Mon, Nov 6, 2023, 10:07 AM Kris Kwiatkowski > wrote: >> So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 >> does not impact the curves permitted under SP 800-56Arev3. Curves that

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Mon, Nov 6, 2023, 10:07 AM Kris Kwiatkowski wrote: > So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 > does not impact the curves permitted under SP 800-56Arev3. Curves that are > included in SP 800-186 but not included in SP 800-56Arev3 are not approved > for key

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Mon, Nov 6, 2023 at 7:06 PM Kris Kwiatkowski wrote: > So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 > does not impact the curves permitted under SP 800-56Arev3. Curves that are > included in SP 800-186 but not included in SP 800-56Arev3 are not approved > for key

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

So, based on FIPS 140-3 I.G., section C.K., resolution 5, [1]. "SP800-186 does not impact the curves permitted under SP 800-56Arev3. Curves that are included in SP 800-186 but not included in SP 800-56Arev3 are not approved for key agreement. E.g., the ECDH X25519 and X448 key agreement schemes

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

On Mon, Nov 6, 2023 at 5:40 PM Kampanakis, Panos wrote: > > Concretely, after ML-KEM is finished, I was planning to update > draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint > for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design. > > > > Agreed, but I would

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

ntum-safe TLS design in their heads, but nobody realizes it > because nobody has bothered to try to write down the details, even at a > very high level. > > > > If it changes in the future due to new events or analysis, that’s ok too. > > > > -Tim > >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

o new events or analysis, that’s ok too. > > -Tim > > From: Bas Westerbaan > Sent: Monday, November 6, 2023 1:14 PM > To: Tim Hollebeek > Cc: John Mattsson ; TLS@ietf.org > Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > > > (

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

mlkem1024) to cover FIPS and CNSA 2.0 compliance. More than three combinations is unnecessary imo. From: TLS On Behalf Of Bas Westerbaan Sent: Monday, November 6, 2023 6:37 AM To: John Mattsson Cc: TLS@ietf.org Subject: RE: [EXTERNAL] [TLS] What is the TLS WG plan for quantum-resistant a

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

that’s ok too. > > -Tim > > From: Bas Westerbaan > Sent: Monday, November 6, 2023 1:14 PM > To: Tim Hollebeek > Cc: John Mattsson ; TLS@ietf.org > Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > > (3)-(5) are exactly the

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

the details, even at a very high level. If it changes in the future due to new events or analysis, that’s ok too. -Tim From: Bas Westerbaan Sent: Monday, November 6, 2023 1:14 PM To: Tim Hollebeek Cc: John Mattsson ; TLS@ietf.org Subject: Re: [TLS] What is the TLS WG plan for quantum

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> (3)-(5) are exactly the hard problems I’ve been thinking a lot about > lately. I’d actually be tempted to say that AuthKEM vs signatures is > something we should figure out ASAP. I read AuthKEM again this morning, > and it has a lot of attractive features, but I’m not quite sure what the >

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

M is a quite big change to TLS https://datatracker.ietf.org/doc/draft-wiggers-tls-authkem-psk/ This is not adopted, informal, and dealing with the pre-standard Kyber. https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/ What is the TLS WG plan for quantum-resistant al

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

/doc/draft-wiggers-tls-authkem-psk/ > > > > This is not adopted, informal, and dealing with the pre-standard Kyber. > > https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/ > > > > What is the TLS WG plan for quantum-resistant algorithms? My current view

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

> My current view is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, > ML-DSA-44, ML-DSA-65, and ML-DSA-87 registered asap What do you mean by ASAP? Would you like to get a TLS code-points for algorithms before they are standardised by NIST (hopefully around Q1/24)? Kind regards, Kris

[TLS] What is the TLS WG plan for quantum-resistant algorithms?

/doc/draft-wiggers-tls-authkem-psk/ This is not adopted, informal, and dealing with the pre-standard Kyber. https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/ What is the TLS WG plan for quantum-resistant algorithms? My current view is that I would like ML-KEM-512, ML-KEM-768, ML