[TLS] Re: ML-DSA in TLS

Tue, 19 Nov 2024 00:49:38 -0800 

On Monday, 18 November 2024 23:24:51 CET, D. J. Bernstein wrote:

Alicja Kario writes:

Unfortunately, I don't think we have a rough consensus in
LAMPS on how hybrid signatures should be done just yet, and without that,
we can't standardise it for TLS.


It's trivial to build a signature system where each signature has,
internally, an Ed25519 signature followed by whichever PQ signature,
of course with the verifier requiring both signatures to pass.

Nothing is stopping TLS from going ahead with this straightforward form
of ECC+PQ for signatures, analogously to draft-ietf-tls-hybrid-design
for KEMs. This eliminates the delay issue. Compared to just PQ in TLS,
focusing on ECC+PQ in TLS will do a better job of encouraging upgrades.


The issue is not how to do that in TLS. You take the same inputs we use
with Ed25519 and you pass them to the hybrid signing process.

The issue is how to integrate it with the rest of PKIX.
We can't use hybrid if we don't have a specification how to put hybrid keys
into X.509 certificates.


There are other combiner options that hash more inputs in the hope of
protecting more protocols. A unified combiner that hashes all available
inputs, as in Chempat for KEMs or

   https://mailarchive.ietf.org/arch/msg/cfrg/LdvasJBpseekZtQkQF1nuPPDH_s/

for signatures, turns out to have very little cost in context (as an
analogy, remember how the world didn't come to an end when TLS moved to
hashing the transcript?), but there are still other combiner proposals
that skimp on hash calls. So, sure, waiting for those discussions to
settle would produce a delay---but I don't see how that's an argument
for doing PQ instead of ECC+PQ.


I'm not arguing that we should do PQ instead of ECC+PQ. I've already stated
that I'm in favour of hybrid, and I have already contributed to the draft
that specifies their use in TLS.


I'm arguing that we can specify both. And that there are no technical 
reasons

for not specifying use of pure PQ signatures.
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

























					Reply via email to