[TLS] Re: PQ Cipher Suite I-Ds: adopt or not?

Sat, 04 Jan 2025 06:57:39 -0800 


  I agree with Scott (and Uri). We have the bandwidth to handle this
and the disagreement is over whether "recommended" is Y or N. That
contentious point is not going to resolve itself over any reasonable
amount of time. Let's just do these two and address that point when
the drafts are mature enough to advance.

  regards,

  Dan.

On 12/24/24 9:47 AM, Scott Fluhrer (sfluhrer) wrote:
I would humbly disagree.  I believe this working group has enough bandwidth to handle a couple of postquantum drafts (along with all the other drafts the WG is working on).  I believe that this is especially true because we pretty much agree on the contents – what we have disagreements about is whether or not to endorse those contents.
That said, if the working group decided to delay the hybrid signature drafts, I wouldn’t complain too loudly – those would also depend on the work in the LAMPS working group, and so they’re less likely to be immediately useful. 

*From:*Rob Sayre <say...@gmail.com>
*Sent:* Monday, December 23, 2024 4:26 PM
*To:* Scott Fluhrer (sfluhrer) <sfluh...@cisco.com>
*Cc:* John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org>; Loganaden Velvindron <logana...@gmail.com>; TLS List <tls@ietf.org> 
*Subject:* Re: [TLS] Re: PQ Cipher Suite I-Ds: adopt or not?

Hi all, since I am still on the CC list,
I took the question to be about how to organize the work. If everything is a priority, there are no priorities. 

That's why I want to do this one (and only this one), first:

https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/
Some of the other ones look like they could benefit from waiting, in the sense that contentious points might resolve themselves over time. 

thanks,

Rob
On Mon, Dec 23, 2024 at 11:00 AM Scott Fluhrer (sfluhrer) <sfluh...@cisco.com> wrote: 

    TL;DR: Historical notes: not important for the current discussion.

    To be clear about whether Cisco (or actually, me – I don’t
    actually speak for Cisco, but I like to think they listen to my
    advice) preferred NTRU or NTRU Prime – I actually didn’t have a
    strong opinion.  I advocated NTRU because it made it to round 3
    (rather than stopping at round 2 as NTRUPrime did), and so it
    appeared to be a bit more mature (that is, having more
    cryptanalysis).  If there was a general consensus towards NTRU
    Prime, we would have happily gone along.

    Other than that, John summarized the situation well – Cisco (or
    actually, Cisco’s lawyers) are happy with how the IPR issues
    around ML-KEM were resolved and are going forward with that (with
    both pure and hybrid).

    *From:*John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org>
    *Sent:* Monday, December 23, 2024 9:02 AM
    *To:* Loganaden Velvindron <logana...@gmail.com>; Rob Sayre
    <say...@gmail.com>
    *Cc:* TLS List <tls@ietf.org>
    *Subject:* [TLS] Re: PQ Cipher Suite I-Ds: adopt or not?

    The thread starts with “Due to this, Cisco has preliminarily
    considered Kyber unusable”

    This is obviously not true anymore as Scott very clearly stated
    that Cisco wants to see both hybrid and non-hybrid ML-KEM
    standardized, and that they want to implement and ship both. I
    agree with Scott. Also, I think Cisco was quite clear on that if
    the IPR uncertainties regarding ML-KEM was not addresses, which
    they were, they wanted NTRU, not NTRU Prime
    https://datatracker.ietf.org/doc/html/draft-fluhrer-cfrg-ntru-01
    <https://datatracker.ietf.org/doc/html/draft-fluhrer-cfrg-ntru-01>

    Mozilla is obviously shipping ML-KEM in Firefox. I am an avid user
    of Firefox, and I am happy to see X25519MLKEM768 on more and more
    webpages.

    Cheers,
    John

    *From: *Loganaden Velvindron <logana...@gmail.com>
    *Date: *Monday, 23 December 2024 at 02:56
    *To: *Rob Sayre <say...@gmail.com>
    *Cc: *TLS List <tls@ietf.org>
    *Subject: *[TLS] Re: PQ Cipher Suite I-Ds: adopt or not?

    If there are some patent concerns regarding ML-KEM going forward,
    Would
    considering NTRU-Prime as a less risky option for TLS Kex?

    (Please see this thread:
    
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscourse.mozilla.org%2Ft%2Fpatent-license-for-kyber%2F128114&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb49fe1a69fb24e159b5808dd22f5004a%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638705157893766686%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Fi1LM1Q49lgZfAwBOQf5HhvEXZccY%2Bjk9VXHg6yHEaU%3D&reserved=0)
    <https://discourse.mozilla.org/t/patent-license-for-kyber/128114>

    There is a section about patents here:
    
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntruprime.cr.yp.to%2Fwarnings.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb49fe1a69fb24e159b5808dd22f5004a%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638705157893782148%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=T%2B2Ggx2ZxAV%2BCwqSvtrUlptlGHO9iYCFpCYf4Cq3xlA%3D&reserved=0
    <https://ntruprime.cr.yp.to/warnings.html>


    On Tue, 17 Dec 2024 at 02:53, Rob Sayre <say...@gmail.com
    <mailto:say...@gmail.com>> wrote:
    >
    > Hi,
    >
    > I only support an adoption call for this one:
    >
    >
    
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-kwiatkowski-tls-ecdhe-mlkem%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb49fe1a69fb24e159b5808dd22f5004a%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638705157893792936%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=D3lsZ10f5cHom9RHdadaPqHt0bSWb6Q6Cz53MBbq1PM%3D&reserved=0
    <https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/>
    >
    > The other ones seem like they could wait, carefully noting that
    postponement is not a "no" vote.
    >
    > thanks,
    > Rob
    >
    >
    >
    >
    > On Mon, Dec 16, 2024 at 2:21 PM Martin Thomson
    <m...@lowentropy.net <mailto:m...@lowentropy.net>> wrote:
    >>
    >> On Tue, Dec 17, 2024, at 08:59, Sean Turner wrote:
    >> > Is the WG consensus to run four separate adoption calls for the
    >> > individual I-Ds in question?
    >>
    >> I would like to see adoption calls for the key exchange modes
    and not the signature modes.  The key exchange documents are both
    more ready and more urgent.
    >>
    >> The question of whether to set Recommended = Y for any
    particular choice is separable and can wait. Keep things as
    Recommended = N for now.
    >>
    >> _______________________________________________
    >> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
    >> To unsubscribe send an email to tls-le...@ietf.org
    <mailto:tls-le...@ietf.org>
    >
    > _______________________________________________
    > TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
    > To unsubscribe send an email to tls-le...@ietf.org
    <mailto:tls-le...@ietf.org>

    _______________________________________________
    TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
    To unsubscribe send an email to tls-le...@ietf.org
    <mailto:tls-le...@ietf.org>


_______________________________________________
TLS mailing list --tls@ietf.org
To unsubscribe send an email totls-le...@ietf.org


--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to