Intent to prototype: Post-quantum key agreement for TLS using X25519Kyber768
369 views
Skip to first unread message
John Schanck
Feb 12, 2024, 12:57:43 PM2/12/24
to dev-pl...@mozilla.org
Summary: Experiment with the X25519Kyber768 post-quantum key agreement mechanism for TLS.
I intend to evaluate the performance characteristics and deployability of a next-generation cryptosystem called Kyber. Unlike currently deployed systems, Kyber is believed to be secure against attackers with large quantum computers. While cryptanalytic-scale quantum computers do not yet exist, the immediate deployment of a post-quantum key agreement mechanism will protect our users against "store now, decrypt later" attacks. For the initial experimentation period, all uses of Kyber will be paired with X25519 as a risk-minimizing measure.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1874959
Specification: https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-03.html
Standards Body: IETF, TLS WG
Platform coverage: All, after an initial period of desktop-only evaluation.
Preference: security.tls.enable_kyber
Link to standards-positions discussion: https://github.com/mozilla/standards-positions/issues/874
Other browsers:
Blink: in developer trial https://groups.google.com/a/chromium.org/g/blink-dev/c/mniZUff1syc/m/tM5tSne9AwAJ.
Specification: https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-03.html
Standards Body: IETF, TLS WG
Platform coverage: All, after an initial period of desktop-only evaluation.
Preference: security.tls.enable_kyber
Link to standards-positions discussion: https://github.com/mozilla/standards-positions/issues/874
Other browsers:
Blink: in developer trial https://groups.google.com/a/chromium.org/g/blink-dev/c/mniZUff1syc/m/tM5tSne9AwAJ.
WebKit: not implemented.
-- John
Martin Thomson
Feb 12, 2024, 11:23:19 PM2/12/24
to John Schanck, dev-pl...@mozilla.org
Hi John,
This is a good experiment to conduct. It might not be obvious, but in addition to the cryptography being pretty complex, getting the deployment of something like this right is surprisingly tricky. Experiments should help us understand where the deployment problems lie.
How do you intend to roll out the experiment? Nightly and early Beta for some time before some experiments in Release, or do you have other plans?
I'm also curious about the QUIC status. It doesn't look like Cloudflare's demo site supports HTTP/3. Are we planning to experiment with QUIC as well?
--Martin
--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAFgAd7EXV5GNB_%2B6%2BAexRqGQOgtvSJwL-%2Bu37Xd1P2Rv%3DK%2Bx9Q%40mail.gmail.com.
John Schanck
Feb 13, 2024, 1:01:01 PM2/13/24
to Martin Thomson, dev-pl...@mozilla.org
Hi Martin,
Yes, this is tricky to get right. I'm going to enable the feature by default on the desktop nightly channel and then roll it out to larger populations through pref-flip experiments.
I'm hoping to extend the experiment to QUIC in nightly 125. Looks like https://crypto.cloudflare.com/cdn-cgi/trace should work as a demo site.
John
Reply all
Reply to author
Forward
0 new messages