IETF Logo Mail Archive

[CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts

Simon Josefsson <simon@josefsson.org> Tue, 28 January 2025 09:40 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FBBAC169421 for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2025 01:40:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="gqptHR2f"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="QE2xTdeu"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0vOuMO6mQ9z for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2025 01:40:25 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7811EC1524DC for <cfrg@irtf.org>; Tue, 28 Jan 2025 01:40:24 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=/WcA3fI1e6S830ct1NQ7DMU+19tCKmSlf3nNNmjno7Q=; t=1738057205; x=1739266805; b=gqptHR2fq88FofekrINkhYyzibirZiwqSBFKGWwt41ipvEerPQ9qRwktJJGmXOuoloF3+fpYr9J p4LyItbx7CQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=/WcA3fI1e6S830ct1NQ7DMU+19tCKmSlf3nNNmjno7Q=; t=1738057205; x=1739266805; b=QE2xTdeu19NS8P80rTB/9i/XCvrA0gkrMpRoIr0Amu/5HnzyL1ojBdfmLI5BoJSSnnCpaKsOqsP TFPo0z2ZWBouBcHwKzTEQTUgFd7hLqvID9dtRSEFXGGvxpgaTouPoBnOKJkYFkWpm1gcIK7EbOaPy 5IG9cUnrkI5BgyAFXXRRu2g2eRR0Rq8Dw8yYKEouXG6I5xSUNms7PpnNBL7frq6WxQkf+fuER2jmx Lqltazn1ekE91Jfe6zE4EGdYAz0XEAtgQBjqnnBKXZslGUALhKCtVsrveatXkeQAu7pShmr12drfb hPbn6hWRqaxBb0PCcoQG+0yhkyOlwIl9AXX+XjRHHcBORkERhvGSwGKVa2sA/nlNj4K/J3V1JgqYO H/6tFTR4Yhurphp7JxsO/gHXUQDvQMObyhr+jvH9ueBA6f8XcI2cCt6Yv36oNFS5H0mS/m2hc;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:56200 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1tci4f-00EL5A-PB; Tue, 28 Jan 2025 09:40:01 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Martin Thomson <mt@lowentropy.net>
In-Reply-To: <b7af8867-7386-4f03-b28a-cd5a32297ec4@betaapp.fastmail.com> (Martin Thomson's message of "Tue, 28 Jan 2025 14:07:40 +1100")
References: <CACsn0cnJ7TgnCp1GsSnRfJCY1rt+t2BBSadm0YkDM8tuL-pE+A@mail.gmail.com> <CAOp4FwR_E4hky7RehU4c1rsy1tFxDgUTfKRRuj3NxWBThC3sow@mail.gmail.com> <CABzBS7kLoP7U=EpQmotCQntASFGcrLXpnSuTQ3i18W-W8Hf5QA@mail.gmail.com> <b7af8867-7386-4f03-b28a-cd5a32297ec4@betaapp.fastmail.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:250128:mt@lowentropy.net::uKQD543zatR0GN9G:8uxw
X-Hashcash: 1:23:250128:thom@thomwiggers.nl::sXjkrVrxYSa8g7xG:Hhev
X-Hashcash: 1:23:250128:cfrg@irtf.org::0/rRFX2WfD1QrjmY:aZgv
X-Hashcash: 1:23:250128:watsonbladd@gmail.com::SUi2Y9VZ1p7Ovr2n:S4AA
Date: Tue, 28 Jan 2025 10:40:34 +0100
Message-ID: <87y0yvs2ct.fsf@josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: 37XU6TRB3SXLZ3JLPN6XGF3AT6YRABV2
X-Message-ID-Hash: 37XU6TRB3SXLZ3JLPN6XGF3AT6YRABV2
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-pVmz-Nm4qz8E-vQz2BQKDQdOWg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

"Martin Thomson" <mt@lowentropy.net> writes:

> On Mon, Jan 27, 2025, at 20:02, Thom Wiggers wrote:
>> For Classic McEliece, I think it would be helpful if people come 
>> forward with concrete applications in which they're actually 
>> wanting/trying to deploy Classic McEliece.
>
> I think that it would be very useful to have McEliece available for
> both Oblivious HTTP and (maybe) ECH.  We have a few cases where the
> number of times that public keys transit the network are far fewer
> than the number of ciphertexts.  Obviously, a hybrid with X25519 is
> probably where I'd want to go with that.

I have specified a hybrid between X448+X2559 and Classic McEliece here:

https://datatracker.ietf.org/doc/html/draft-josefsson-chempat-02#name-chempat-with-classic-mcelie

FWIW, I think the CFRG should be able to publish crypto primitive
specifications if there are people interested in working on them.
Defering authority on crypto primitives to NIST is implied by many
suggestions made IETF-wide right now.

/Simon


>
> With a 240 byte ciphertext (I had trouble finding a specific value, so
> this might be incorrect), that's quite a lot smaller than ML-KEM-768.
> The ~800 bytes of saving per message means that you need to clear
> ~1200 messages for each public key transfer before the overall
> transfer cost is neutral.  But the likelihood that messages fit in a
> single packet is a huge gain that has value far beyond what a simple
> tally might suggest.
>
> I mentioned ECH, though I suspect that we'd need to do some work
> there.  That is, both to get 1MB keys into DNS reliably (ECH configs
> are currently 71 bytes typically) as well as to improve caching and
> reuse so that the 1200:1 ratio could be realized.  Right now, I
> suspect that the ratio for ECH is closer to OHTTP can easily reach
> that sort of ratio, which makes McEliece a viable option there.
>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org

v2.29.0 | Report a Bug | By Email | System Status