+1 on starting to see a little SHA-3 trickle down to TLS, IPsec, SSH and more common protocols.
From: TLS <tls-boun...@ietf.org> On Behalf Of John Mattsson Sent: Friday, January 27, 2023 6:25 AM To: tls@ietf.org Cc: hojarasca2022 <hojarasca2022=40proton...@dmarc.ietf.org>; Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> Subject: RE: [EXTERNAL][TLS] about hash and post-quantum ciphers CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi, I don't think non-standardized algorithms should be adopted by the WG. Even for just assigning a number, a good first step would be CFRG. But this mail got me thinking: - I think the lack of hash algorithm crypto agility in TLS 1.3 is unsatisfactory. The _only_ option in TLS 1.3 is SHA2. - NIST is expected to exclusively use SHA3 in the lattice-based PQC algorithms. I think it would make very much sense to include SHA3 (the SHAKE variants) at the same time as the standardized NIST PQC algorithms. - TLS 1.3 hardcodes use of the quite outdated HMAC and HDKF constructions that only exists because SHA2 is fixed-length and suffers badly from length-extension attacks. Modern hash algorithm like SHAKE/KMAC are variable-length and does not suffer from length-extension attacks. If SHA3 is added in the future, I think it would make sense to use KMAC instead of HMAC and HKDF. Might also be nice to use the duplex construction whose security can be shown to be equivalent to the sponge construction. Cheers, John From: TLS <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org>> on behalf of Salz, Rich <rsalz=40akamai....@dmarc.ietf.org<mailto:rsalz=40akamai....@dmarc.ietf.org>> Date: Thursday, 26 January 2023 at 20:42 To: hojarasca2022 <hojarasca2022=40proton...@dmarc.ietf.org<mailto:hojarasca2022=40proton...@dmarc.ietf.org>>, tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] about hash and post-quantum ciphers In TLS 1.3, AES256-SHA384 is not mandatory to implement. If there is a freely available published specification of BLAKE3, you can request an assigned number for it in the TLS registry [1]. * Furthermore, NIST selected some post-quantum ciphers: https://nist.gov/pqcrypto<https://urldefense.com/v3/__https:/nist.gov/pqcrypto__;!!GjvTz_vk!UnGjNR1DVN3oU6LubE4pgg4dPlPTrCY8ZIZ3F6iSL5CBbMdhrYZfH98ug0kXkPGGj6Ed7T6V7j6iGg3ROTXRiMqB7ZBF$> Hm, are you new here? The archives have a couple hundred messages about post-quantum. [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
