[CFRG] Millions of dollars of hashing

"D. J. Bernstein" <djb@cr.yp.to> Thu, 22 February 2024 15:27 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409F9C180B4C for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2024 07:27:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.204
X-Spam-Level:
X-Spam-Status: No, score=-4.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BO_6ejnLkDoB for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2024 07:27:09 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 77FD8C180B47 for <cfrg@irtf.org>; Thu, 22 Feb 2024 07:27:09 -0800 (PST)
Received: (qmail 25461 invoked by uid 1010); 22 Feb 2024 15:27:07 -0000
Received: from unknown (unknown) by unknown with QMTP; 22 Feb 2024 15:27:07 -0000
Received: (qmail 929018 invoked by uid 1000); 22 Feb 2024 15:27:00 -0000
Date: Thu, 22 Feb 2024 15:27:00 -0000
Message-ID: <20240222152700.929016.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CAEEbLAbRHjJGm-3CQipzW=n40B-b23D6ZxmHN-f3PtVikj5=Cw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MofklNaRFIc5qhxzABs0pQA3FKE>
Subject: [CFRG] Millions of dollars of hashing
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 15:27:14 -0000

Sophie Schmieg writes:
> If saving a single hash in TLS saves compute time worth millions of
> dollars/CO2 emissions/energy

Does it? Let's look at the numbers.

Two million dollars pay for about 2^72 Intel CPU cycles (see Section 4.2
of https://cr.yp.to/papers.html#pppqefs) meaning about 2^69 bytes of
hashing, meaning about 2^58 key exchanges (since we're talking about
extra hashing of a total of about 2^11 bytes of key and ciphertext).

Is the claim here that Google carries out 2^58 TLS handshakes per year?
Or that the _full Internet_ carries out 2^58 TLS handshakes per year?

https://www.statista.com/statistics/267202/global-data-volume-of-consumer-ip-traffic/
indicates total consumer Internet traffic approaching 2^69 bytes per
year---but of course very little of that is handshakes.

https://httparchive.org/reports/state-of-the-web indicates that the
median web page is well above 2MB, with a distribution suggesting that
the average is above the median. It also indicates that the number of
servers per web page has dropped to 10. If TLS handshakes aren't reused
_at all_ across pages then that's 2^17 bytes of traffic per handshake,
meaning about 2^52 TLS handshakes per year.

Surely the actual number is less: https://eprint.iacr.org/2023/734 finds
quite a bit of TLS resumption; Sandvine says that most Internet traffic
is now video; etc. But let's keep going with this 2^52 overestimate, and
let's assume instant Internet-wide deployment of the hash at issue.

We're talking about a total, across the entire Internet, of <2^15
dollars/year of hashing.

As for energy usage: Only about 1/4 of the direct cost is for energy
payments (at 2^-3 dollars/kwH), but let's take the whole purchase cost
as indirectly consuming energy. The energy usage is then roughly 2^18
kwH each year. That's around a billionth of the world's energy usage.

If we're trying to save the environment through our post-quantum
choices, shouldn't we be looking at bigger issues than hash calls? For
example, shouldn't we be systematically caching public keys rather than
burning energy continually re-transmitting them? And shouldn't we be
switching to McEliece so that we spend less energy transmitting
ciphertexts? See https://cr.yp.to/talks.html#2023.10.25.

More importantly, even though it's fun to minimize costs, job #1 here is
security. We know that overloading security reviewers is a major source
of security failures, so we should be trying hard to avoid doing that.
When we can spend a negligible number of extra CPU cycles to simplify
the reviewer's job, great!

https://www.rfc-editor.org/rfc/rfc7258.html says "Pervasive monitoring
is a technical attack that should be mitigated in the design of IETF
protocols, where possible". It doesn't say "where the cost is zero", and
it doesn't say "except if someone mentions energy usage". IETF has many
security mechanisms that incur costs.

Finally, security also has an important potential to _reduce_ costs.
https://www.statista.com/statistics/267132/total-damage-caused-by-by-cybercrime-in-the-us/
reports cybercrime in the U.S. costing over 2^33 dollars/year (never
mind harder-to-measure impacts of attacks; certainly cleaning up after
an attack burns human time and energy). A security mechanism that has a
world total cost of <2^15 dollars/year is expected to save money if it
has more than four chances in a million of stopping attacks.

---D. J. Bernstein