Re: [TLS] about hash and post-quantum ciphers

[Blumenthal, Uri - 0553 - MITLL]

John, I agree with all of your points.

 

TNX

 

P.S. Maybe it would be good for NIST to standardize BLAKE3. But until it does – 
…

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are 
obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                
                                                     -  C. A. R. Hoare

 

 

From: TLS <tls-boun...@ietf.org> on behalf of John Mattsson 
<john.mattsson=40ericsson....@dmarc.ietf.org>
Date: Friday, January 27, 2023 at 06:26
To: "tls@ietf.org" <tls@ietf.org>
Cc: hojarasca2022 <hojarasca2022=40proton...@dmarc.ietf.org>, "Salz, Rich" 
<rsalz=40akamai....@dmarc.ietf.org>
Subject: Re: [TLS] about hash and post-quantum ciphers

 

Hi,

 

I don't think non-standardized algorithms should be adopted by the WG. Even for 
just assigning a number, a good first step would be CFRG.

But this mail got me thinking:

 

- I think the lack of hash algorithm crypto agility in TLS 1.3 is 
unsatisfactory. The _only_ option in TLS 1.3 is SHA2.

 

- NIST is expected to exclusively use SHA3 in the lattice-based PQC algorithms. 
I think it would make very much sense to include SHA3 (the SHAKE variants) at 
the same time as the standardized NIST PQC algorithms.

 

- TLS 1.3 hardcodes use of the quite outdated HMAC and HDKF constructions that 
only exists because SHA2 is fixed-length and suffers badly from 
length-extension attacks. Modern hash algorithm like SHAKE/KMAC are 
variable-length and does not suffer from length-extension attacks. If SHA3 is 
added in the future, I think it would make sense to use KMAC instead of HMAC 
and HKDF. Might also be nice to use the duplex construction whose security can 
be shown to be equivalent to the sponge construction.

 

Cheers,

John

From: TLS <tls-boun...@ietf.org> on behalf of Salz, Rich 
<rsalz=40akamai....@dmarc.ietf.org>
Date: Thursday, 26 January 2023 at 20:42
To: hojarasca2022 <hojarasca2022=40proton...@dmarc.ietf.org>, tls@ietf.org 
<tls@ietf.org>
Subject: Re: [TLS] about hash and post-quantum ciphers

In TLS 1.3, AES256-SHA384 is not mandatory to implement.

 

If there is a freely available published specification of BLAKE3, you can 
request an assigned number for it in the TLS registry [1]. 

 

Ø  Furthermore, NIST selected some post-quantum ciphers: 
https://nist.gov/pqcrypto 

 

Hm, are you new here?  The archives have a couple hundred messages about 
post-quantum.

 

[1] 
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls