Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
On Jul 22, 2021, at 00:46, Kampanakis, Panos wrote: > > Hi Uri, > > Thank you for the clarifications. > > So you have a usecase that > - want to use PQ algorithms > - is significantly affected by an extra 1-2 or 4-5KB on the link > - does not send a cert chain, only leaf certs Yes. > - can cache or fetch the peer public keys in order to do KEMTLS I did not say that. As far as I can tell now, there's no way to fetch (outside/OOB of this protocol) peer's pub keys or certs. Caching received and validated keys to ease the reconnects is an interesting idea. I'll need to figure whether the comm savings outweigh the extra complexity and branching of the protocol. > Although I don't consider it the general usecase, maybe KEMTLS is the way to > go there. I'm 99.9% sure it is. > Other good options imo for it would be draft-ietf-tls-ctls and rfc7924 to > save even more on data put on the link. Thank you! Seems applicable - let me check. Thanks > -Original Message- > From: Blumenthal, Uri - 0553 - MITLL > Sent: Tuesday, July 13, 2021 1:17 AM > To: Kampanakis, Panos > Cc: ; Douglas Stebila ; Eric > Rescorla > Subject: RE: [EXTERNAL] [TLS] Comments on > draft-celi-wiggers-tls-authkem-00.txt > >> If we are talking NIST Level 5 (and I am assuming you are >> discussing mTLS), > > Yes. ;-) > >> ...have you calculated the total CertVerify+cert chain sizes >> there assuming 2 ICAs let's say? > > More or less. ;-) > > My use case has all the ICAs pre-loaded - the transmitted chain contains only > one entity cert. I'm sacrificing flexibility for performance under > constraints. Size is the real enemy here. > > >> And would constrained devices or mediums that sweat about 5KB >> really be able to support PQ KEMs and Sigs at NIST Level 5? > > My tests showed that they *do* support PQ KEMs (NTRU and Kyber - haven't > tried McEliece ;) and Sigs (Falcon and Dilithium - haven't tried Rainbow ;) > at Level 5. Caveat - they do only Sig *verification* (which suits me fine). > > (I posted benchmarks from Intel Core i9, but they work acceptably well on the > "smaller" chips.) > > Also, sorry if I did not make it clear - it's not the *devices* themselves > that sweat 5KB, it's their austere links. > > > >-Original Message- >From: TLS On Behalf Of Blumenthal, Uri - 0553 - > MITLL >Sent: Monday, July 12, 2021 11:39 PM >To: Douglas Stebila ; Eric Rescorla >Cc: >Subject: RE: [EXTERNAL] [TLS] Comments on > draft-celi-wiggers-tls-authkem-00.txt > >CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > >Let me emphasize the reasons Douglas brought up. Note that I need to use > NIST Sec Level 5 algorithms. So, Kyber-1024 and Dilithium5 (other algorithms > show even worse ratio between KEM and signature!). > >Communications costs: >- Difference in public key sizes: 1568 bytes of Kyber vs. 2592 bytes of > Dilithium => 1024 extra bytes to carry over channel each way; >- Signature: extra 4595 bytes each way, because in addition to exchanging > certs (aka "signed public keys", which is inevitable) you need to sign the > exchange and communicate that signature across; >- Total: 5619 extra bytes each way. For peer-to-peer broadband > connections, you can say "so what?". But my links are *very* austere. > >Computation costs (ballpark, on a powerful CPU): >- KEM: keygen 15us, encap 18us, decap 14us (say, double encap and decap > for PFS-providing exchange); >- Signature: sign 113us, verify 55us; >- Comparison: 134us for signature-less KEM vs. 215us for TLS-like exchange > => almost twice as long; >- Difference may be negligible for Intel Xeon, but for my much weaker > hardware it matters. > >So, for constrained environments with austere comm links, signature-less > "authkem" is God-sent. >Big servers that need to support many clients (so they care how much CPU > cycles and comm bytes they spend on every connection) would appreciate these > savings too. > >@ekr,I hope this provides convincing explanation why "authkem" is needed. > >P.S. I know that Falcon has much more favorable sizes - but (a) it takes > three times as long to sign, and (b) it uses FP calculations, which isn't > great to implement in my environment. >-- >Regards, >Uri > >There are two ways to design a system. One is to make is so simple there > are obviously no deficiencies. >The other is to make it so complex there are no obvious deficiencies. > > - C. A. R. Hoare > > >On 7/12/21, 20:59, "TLS on behalf of Douglas Stebila" > wrote: > >Hi Eric, > >The main motivation is that, in some cases, post-quantum si
Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
Thx. Understood. >> - can cache or fetch the peer public keys in order to do KEMTLS > I did not say that. As far as I can tell now, there's no way to fetch > (outside/OOB of this protocol) peer's pub keys or certs. draft-ietf-tls-esni does it with DNS HTTPS RRs, but indeed it would require new efforts to make it happen with additional operational challenges. If caching the peer public key is an option for your usecase, then cache management could be an operational challenge for clients that talk to many peers. If caching peer public keys is not an option either, then you will have to pay the price of an extra round-trip to get the peer KEM public key. -Original Message- From: Blumenthal, Uri - 0553 - MITLL Sent: Thursday, July 22, 2021 8:49 AM To: Kampanakis, Panos Cc: tls@ietf.org; Douglas Stebila ; Eric Rescorla Subject: RE: [EXTERNAL] [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt On Jul 22, 2021, at 00:46, Kampanakis, Panos wrote: > > Hi Uri, > > Thank you for the clarifications. > > So you have a usecase that > - want to use PQ algorithms > - is significantly affected by an extra 1-2 or 4-5KB on the link > - does not send a cert chain, only leaf certs Yes. > - can cache or fetch the peer public keys in order to do KEMTLS I did not say that. As far as I can tell now, there's no way to fetch (outside/OOB of this protocol) peer's pub keys or certs. Caching received and validated keys to ease the reconnects is an interesting idea. I'll need to figure whether the comm savings outweigh the extra complexity and branching of the protocol. > Although I don't consider it the general usecase, maybe KEMTLS is the way to > go there. I'm 99.9% sure it is. > Other good options imo for it would be draft-ietf-tls-ctls and rfc7924 to > save even more on data put on the link. Thank you! Seems applicable - let me check. Thanks > -Original Message- > From: Blumenthal, Uri - 0553 - MITLL > Sent: Tuesday, July 13, 2021 1:17 AM > To: Kampanakis, Panos > Cc: ; Douglas Stebila ; Eric > Rescorla > Subject: RE: [EXTERNAL] [TLS] Comments on > draft-celi-wiggers-tls-authkem-00.txt > >> If we are talking NIST Level 5 (and I am assuming you are >> discussing mTLS), > > Yes. ;-) > >> ...have you calculated the total CertVerify+cert chain sizes >> there assuming 2 ICAs let's say? > > More or less. ;-) > > My use case has all the ICAs pre-loaded - the transmitted chain contains only > one entity cert. I'm sacrificing flexibility for performance under > constraints. Size is the real enemy here. > > >> And would constrained devices or mediums that sweat about 5KB >> really be able to support PQ KEMs and Sigs at NIST Level 5? > > My tests showed that they *do* support PQ KEMs (NTRU and Kyber - haven't > tried McEliece ;) and Sigs (Falcon and Dilithium - haven't tried Rainbow ;) > at Level 5. Caveat - they do only Sig *verification* (which suits me fine). > > (I posted benchmarks from Intel Core i9, but they work acceptably well on the > "smaller" chips.) > > Also, sorry if I did not make it clear - it's not the *devices* themselves > that sweat 5KB, it's their austere links. > > > >-Original Message- >From: TLS On Behalf Of Blumenthal, Uri - 0553 - > MITLL >Sent: Monday, July 12, 2021 11:39 PM >To: Douglas Stebila ; Eric Rescorla >Cc: >Subject: RE: [EXTERNAL] [TLS] Comments on > draft-celi-wiggers-tls-authkem-00.txt > >CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > >Let me emphasize the reasons Douglas brought up. Note that I need to use > NIST Sec Level 5 algorithms. So, Kyber-1024 and Dilithium5 (other algorithms > show even worse ratio between KEM and signature!). > >Communications costs: >- Difference in public key sizes: 1568 bytes of Kyber vs. 2592 bytes of > Dilithium => 1024 extra bytes to carry over channel each way; >- Signature: extra 4595 bytes each way, because in addition to exchanging > certs (aka "signed public keys", which is inevitable) you need to sign the > exchange and communicate that signature across; >- Total: 5619 extra bytes each way. For peer-to-peer broadband > connections, you can say "so what?". But my links are *very* austere. > >Computation costs (ballpark, on a powerful CPU): >- KEM: keygen 15us, encap 18us, decap 14us (say, double encap and decap > for PFS-providing exchange); >- Signature: sign 113us, verify 55us; >- Comparison: 134us for signature-less KEM vs. 215us for TLS-like exchange > => almost twice as long; >- Difference may be negligible for Intel Xeon, but for my much weaker > hardware it matters. > >So, for constrained environments with austere comm links, signature-less > "authkem" is God-sent. >Big servers that need to support many clients (so they care how
Re: [TLS] WGLC for draft-ietf-tls-flags
On Fri, Jul 16, 2021 at 04:55:49PM -0700, Christopher Wood wrote: > This is the second working group last call for the "A Flags Extension for TLS > 1.3" draft, available here: > > https://datatracker.ietf.org/doc/draft-ietf-tls-tlsflags/ > > Please review this document and send your comments to the list by July 30, > 2021. The GitHub repository for this draft is available here: > > https://github.com/tlswg/tls-flags Just one editorial comment, I think that the initial registration code point of 0x8 (hex) is potentially confusing, is it the 8th bit, or the or bit 3? The bit positions range from 0 to 2047 and are easier to understand in decimal, especially with the registration ranges given in decimal. So in this document, and in the IANA registry, the code points should be decimal. -- Viktor. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
>>> - can cache or fetch the peer public keys in order to do KEMTLS >> I did not say that. As far as I can tell now, there's no way to fetch > (outside/OOB of this protocol) peer's pub keys or certs. > >draft-ietf-tls-esni does it with DNS HTTPS RRs, but indeed it would > require new efforts to make it happen with additional operational challenges. Most likely it won't work in my environment, but need to check. >If caching the peer public key is an option for your use case, then cache > management could be an operational challenge for clients that talk to many > peers. Exactly! Open question for now. >If caching peer public keys is not an option either, then you will have to > pay the price of an extra round-trip to get the peer KEM public key. Yes, and this is what we've been planning for. In general, one extra round-trip is not a "pain point" for my use case, as long as one round-trip fits into the link constraints. Now that you mentioned the possibility of caching keys, and paying that extra round-trip price only once - we'll evaluate the implementation costs of doing that. Thanks! -Original Message- From: Blumenthal, Uri - 0553 - MITLL Sent: Thursday, July 22, 2021 8:49 AM To: Kampanakis, Panos Cc: tls@ietf.org; Douglas Stebila ; Eric Rescorla Subject: RE: [EXTERNAL] [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt On Jul 22, 2021, at 00:46, Kampanakis, Panos wrote: > > Hi Uri, > > Thank you for the clarifications. > > So you have a usecase that > - want to use PQ algorithms > - is significantly affected by an extra 1-2 or 4-5KB on the link > - does not send a cert chain, only leaf certs Yes. > - can cache or fetch the peer public keys in order to do KEMTLS I did not say that. As far as I can tell now, there's no way to fetch (outside/OOB of this protocol) peer's pub keys or certs. Caching received and validated keys to ease the reconnects is an interesting idea. I'll need to figure whether the comm savings outweigh the extra complexity and branching of the protocol. > Although I don't consider it the general usecase, maybe KEMTLS is the way to go there. I'm 99.9% sure it is. > Other good options imo for it would be draft-ietf-tls-ctls and rfc7924 to save even more on data put on the link. Thank you! Seems applicable - let me check. Thanks > -Original Message- > From: Blumenthal, Uri - 0553 - MITLL > Sent: Tuesday, July 13, 2021 1:17 AM > To: Kampanakis, Panos > Cc: ; Douglas Stebila ; Eric Rescorla > Subject: RE: [EXTERNAL] [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt > >> If we are talking NIST Level 5 (and I am assuming you are >> discussing mTLS), > > Yes. ;-) > >> ...have you calculated the total CertVerify+cert chain sizes >> there assuming 2 ICAs let's say? > > More or less. ;-) > > My use case has all the ICAs pre-loaded - the transmitted chain contains only one entity cert. I'm sacrificing flexibility for performance under constraints. Size is the real enemy here. > > >> And would constrained devices or mediums that sweat about 5KB >> really be able to support PQ KEMs and Sigs at NIST Level 5? > > My tests showed that they *do* support PQ KEMs (NTRU and Kyber - haven't tried McEliece ;) and Sigs (Falcon and Dilithium - haven't tried Rainbow ;) at Level 5. Caveat - they do only Sig *verification* (which suits me fine). > > (I posted benchmarks from Intel Core i9, but they work acceptably well on the "smaller" chips.) > > Also, sorry if I did not make it clear - it's not the *devices* themselves that sweat 5KB, it's their austere links. > > > >-Original Message- >From: TLS On Behalf Of Blumenthal, Uri - 0553 - MITLL >Sent: Monday, July 12, 2021 11:39 PM >To: Douglas Stebila ; Eric Rescorla >Cc: >Subject: RE: [EXTERNAL] [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt > >CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > >Let me emphasize the reasons Douglas brought up. Note that I need to use NIST Sec Level 5 algorithms. So, Kyber-1024 and Dilithium5 (other algorithms show even worse ratio between KEM and signature!). > >Communications costs: >- Difference in public key sizes: 1568 bytes of Kyber vs. 2592 bytes of Dilithium => 1024 extra bytes to carry over channel each way; >- Signature: extra 4595 bytes each way, because in addition to exchanging certs (aka "signed public keys", which is inevitable) you need to sign the exchange and communicate that signature across; >- Tota
