IETF Logo Mail Archive

[CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts

Thom Wiggers <thom@thomwiggers.nl> Wed, 29 January 2025 11:13 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF3B0C151989 for <cfrg@ietfa.amsl.com>; Wed, 29 Jan 2025 03:13:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrRzsxlESjlo for <cfrg@ietfa.amsl.com>; Wed, 29 Jan 2025 03:13:55 -0800 (PST)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD5A8C14F5F5 for <cfrg@irtf.org>; Wed, 29 Jan 2025 03:13:55 -0800 (PST)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-aaf60d85238so1113407366b.0 for <cfrg@irtf.org>; Wed, 29 Jan 2025 03:13:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1738149234; x=1738754034; darn=irtf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=K4O79AxS0bvU6VBX48cT+qAHjeWQzWdSxAuX60+OOTQ=; b=UNh38P/GZ1Pn4FfCxML8QEgrob7XDDr4rcsKd2gE54zO4O/6F5i/m3CSsm0gf0ByvF DA9w9Q9A5JRZ+wg6sy6S/O357tHxjJ9tlzzkiacGMd8rpMIDL7LxGW3BIgmum4kQ+Ji3 6RmcucbQPwZctHTqbkiZ2hcVlj79OvWUYCMos=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738149234; x=1738754034; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=K4O79AxS0bvU6VBX48cT+qAHjeWQzWdSxAuX60+OOTQ=; b=HZdgZSSUSfIN1ahtYsOfe24rW9M0I7CCYO+rdJSvg3+UwdpU+OQ8H4NG6Ann8ansO/ 8fv5LoyIDiXcZuQo5zAgi+4AF1+rY2u5mvQL58/2hOOA92xq4lSYRgJJYCqwbRou9b+M 8U3uDH4gvtXzSce8z+Al1/5Qn277boG52bWLrG+G+MEdlc+l4HawKZsRkl2YwBCbezfh kSYvacE7pnzH1lMXM4yGojF5brCkoCvqlK4KQNqGmLbFNQ0a71FPPB/Ml841RPb8Fael qqcIpW+l8f0LLxv7QPkF/kslUFIHb+zyUxLKBy+XxG/UFwjfMCBWK4w6AfKFfvrHsVLN PVfQ==
X-Forwarded-Encrypted: i=1; AJvYcCXFHtP8p8KVmqWPeqWzGhm/+iR6nUcXidVWeiZXfpt5gVKTN+e7zkLLP3l+SFEBo/EwU7kg@irtf.org
X-Gm-Message-State: AOJu0YyG3owKRtNnE6oFw9mgr6zrK1jhlXaH6NHc1VQGlFMiYW6mdpOS UI6KYcCXgCxrOXsJdAsm2cfrCQhU7doRFlvYVCTX7XPvZwCzd1teG/qPJ9JG+fA=
X-Gm-Gg: ASbGncvgGy7EZxXNqSwvTT66rgsUbfUTWa3IMiElrA8m1352zcGl06vfxec3jhHc4kn 97n8+tHfvfh7l7AeWsWK+MSqPG5Dtr9N77nwYQFOkxGV1g/0u+CSO9YExoqDjWjWPKEj16SlD4r yQgKGtqQfj9Q3547Qy8/Oxaq88FQ7qQ+Ykz6xuUFZbY0g6FeOM9x0WBS/stR0gTzwkHsS6MIObE +Y88REl7p7uDvf0WT0+4aiRhACTaCCKNy0iDZQEmS02TbvV2scC8DqLJqTUP+k0EiQoi1bejLPm uuc9mzDCV8CcqFzXbo6l0tWWk1E3B66ByySCtsAsiHKYRWqVQJSIn9yPhVO+q3q2UWG3wpM=
X-Google-Smtp-Source: AGHT+IGCUxX1xRnc52RdOD58crC3K/OEhX2r2HsGZXVggEzgaM/gu41eoi6D0jN16yboMBUVi0wAng==
X-Received: by 2002:a17:906:6b17:b0:ab6:d575:9541 with SMTP id a640c23a62f3a-ab6d57596fcmr117743966b.19.1738149233888; Wed, 29 Jan 2025 03:13:53 -0800 (PST)
Received: from smtpclient.apple (139-165-187-31.ftth.glasoperator.nl. [31.187.165.139]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ab6a2fbcca0sm576325066b.101.2025.01.29.03.13.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jan 2025 03:13:53 -0800 (PST)
From: Thom Wiggers <thom@thomwiggers.nl>
Message-Id: <65E2723A-BEF0-4DB7-8A9E-EAA4B024BFC8@thomwiggers.nl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A1D43ECD-6990-4AD7-A47C-44025CC794AB"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.300.87.4.3\))
Date: Wed, 29 Jan 2025 12:13:42 +0100
In-Reply-To: <CABcZeBPhr4gENxWkoKKwqdu_dW3=7GRyKjpG0sf10CSHOXGwhg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
References: <CACsn0cnJ7TgnCp1GsSnRfJCY1rt+t2BBSadm0YkDM8tuL-pE+A@mail.gmail.com> <CAOp4FwR_E4hky7RehU4c1rsy1tFxDgUTfKRRuj3NxWBThC3sow@mail.gmail.com> <CABzBS7kLoP7U=EpQmotCQntASFGcrLXpnSuTQ3i18W-W8Hf5QA@mail.gmail.com> <b7af8867-7386-4f03-b28a-cd5a32297ec4@betaapp.fastmail.com> <87y0yvs2ct.fsf@josefsson.org> <CABcZeBPhr4gENxWkoKKwqdu_dW3=7GRyKjpG0sf10CSHOXGwhg@mail.gmail.com>
X-Mailer: Apple Mail (2.3826.300.87.4.3)
Message-ID-Hash: OOKDJH7QKGPPINOOWOFT3T4QYXCOVSHR
X-Message-ID-Hash: OOKDJH7QKGPPINOOWOFT3T4QYXCOVSHR
X-MailFrom: thom@thomwiggers.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6z-8_FoY1lq0adIeLEvc7EmjYto>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi all,

Thanks for everyone who came forward with use cases; let me clarify that I never intended to suggest that McEliece should not be standardized, it’s just that its dramatic trade-off makes it a bit niche. I’m very interested in seeing if this trade-off can be properly exploited :-) 

Cheers,

Thom 

> Op 29 jan 2025, om 03:25 heeft Eric Rescorla <ekr@rtfm.com> het volgende geschreven:
> 
> 
> 
> On Tue, Jan 28, 2025 at 1:41 AM Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org <mailto:40josefsson.org@dmarc.ietf.org>> wrote:
>> "Martin Thomson" <mt@lowentropy.net <mailto:mt@lowentropy.net>> writes:
>> 
>> > On Mon, Jan 27, 2025, at 20:02, Thom Wiggers wrote:
>> >> For Classic McEliece, I think it would be helpful if people come 
>> >> forward with concrete applications in which they're actually 
>> >> wanting/trying to deploy Classic McEliece.
>> >
>> > I think that it would be very useful to have McEliece available for
>> > both Oblivious HTTP and (maybe) ECH.  We have a few cases where the
>> > number of times that public keys transit the network are far fewer
>> > than the number of ciphertexts.  Obviously, a hybrid with X25519 is
>> > probably where I'd want to go with that.
>> 
>> I have specified a hybrid between X448+X2559 and Classic McEliece here:
>> 
>> https://datatracker.ietf.org/doc/html/draft-josefsson-chempat-02#name-chempat-with-classic-mcelie
>> 
>> FWIW, I think the CFRG should be able to publish crypto primitive
>> specifications if there are people interested in working on them.
> 
> I agree that the CFRG should be able to publish crypto specifications.
> I think the CFRG should focus its limited energy on specifications
> which are likely to be used by IETF protocols.
> 
>  
>> Defering authority on crypto primitives to NIST is implied by many
>> suggestions made IETF-wide right now.
> 
> i haven't seen anyone suggest that CFRG should not publish its own
> specifications regardless of what NIST does. That's certainly not
> my position. That would be an odd position to take as CFRG has
> already done this a number of times.
> 
> -Ekr
> 
>> 
>> /Simon
>> 
>> 
>> >
>> > With a 240 byte ciphertext (I had trouble finding a specific value, so
>> > this might be incorrect), that's quite a lot smaller than ML-KEM-768.
>> > The ~800 bytes of saving per message means that you need to clear
>> > ~1200 messages for each public key transfer before the overall
>> > transfer cost is neutral.  But the likelihood that messages fit in a
>> > single packet is a huge gain that has value far beyond what a simple
>> > tally might suggest.
>> >
>> > I mentioned ECH, though I suspect that we'd need to do some work
>> > there.  That is, both to get 1MB keys into DNS reliably (ECH configs
>> > are currently 71 bytes typically) as well as to improve caching and
>> > reuse so that the 1200:1 ratio could be realized.  Right now, I
>> > suspect that the ratio for ECH is closer to OHTTP can easily reach
>> > that sort of ratio, which makes McEliece a viable option there.
>> >
>> > _______________________________________________
>> > CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>> > To unsubscribe send an email to cfrg-leave@irtf.org <mailto:cfrg-leave@irtf.org>
>> _______________________________________________
>> CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
>> To unsubscribe send an email to cfrg-leave@irtf.org <mailto:cfrg-leave@irtf.org>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org <mailto:cfrg@irtf.org>
> To unsubscribe send an email to cfrg-leave@irtf.org <mailto:cfrg-leave@irtf.org>

v2.29.0 | Report a Bug | By Email | System Status