Dear list, This email is in regards to draft-celi-wiggers-tls-authkem.
We’ve only made some minor fixes to the authentication-via-KEM proposal that we submitted and presented at the last IETF meeting (IETF111) at the working group. We did receive a few questions and comments on the draft during that presentation and prior to it that we would like to address. We had the impression that those questions were mainly focused on the motivation: the reason for the draft's existence. Because we found there is not really a lot of space for the motivation of certain choices in the text of the draft itself, we instead wrote a document that we call “AuthKEM abridged”. In it, we try to clearly point out our motivations, design choices and provide an intuition of the security model. You can find it at https://claucece.github.io/draft-celi-wiggers-tls-authkem/docs/authkem-abridged.html. We hope that you will find it useful and if there is anything we should add or explain better, please let us know. We touch over questions such as: - Why consider KEMs for authentication? - Why now if post-quantum KEMs or post-quantum signatures aren’t standardized yet? - Discussion about the extra half-round trip that is added Meanwhile, we’ve been putting some cycles towards the formal analysis of the KEMTLS protocol (which should extend to the AuthKEM one) in Tamarin, building on the existing TLS 1.3 model. There’s still a lot to be done, but we hope to be able to back this draft proposal with some machine-checked analysis in the future. Noting here as there seemed to be some confusion around it: KEMs are not compatible with non-interactive key exchange schemes such as draft-ietf-tls-semistatic-dh. At the moment, CSIDH is the only post-quantum scheme compatible with semistatic-DH-like protocols. CSIDH is probably not practical for use in TLS due to it being very slow, and its security level is still the subject of intense debate. Cheers and have a nice IETF 112, Thom Wiggers and Sofía Celi
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
