Re: [CFRG] [Pqc] New Liaison Statement, "Quantum Safe Cryptographic Protocol Inventory"
"D. J. Bernstein" <djb@cr.yp.to> Sun, 25 February 2024 14:59 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6BBBC151087 for <cfrg@ietfa.amsl.com>; Sun, 25 Feb 2024 06:59:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id asyskpPqibGv for <cfrg@ietfa.amsl.com>; Sun, 25 Feb 2024 06:59:09 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 4800AC14F747 for <cfrg@irtf.org>; Sun, 25 Feb 2024 06:59:04 -0800 (PST)
Received: (qmail 21102 invoked by uid 1010); 25 Feb 2024 14:59:02 -0000
Received: from unknown (unknown) by unknown with QMTP; 25 Feb 2024 14:59:02 -0000
Received: (qmail 1145642 invoked by uid 1000); 25 Feb 2024 14:58:56 -0000
Date: Sun, 25 Feb 2024 14:58:56 -0000
Message-ID: <20240225145856.1145640.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CAMjbhoUSQ9CWLuH9adGmHnZOveLK1NNSGTYNxJ4C1mnRkcLN+A@mail.gmail.com> <033e31eb-90b4-6051-8f61-c206aa0039f0@nohats.ca> <CAMjbhoW9T+4pHKZXOVytNzpSQNKnTbymJ2_o1D-JMb8JmVzU9Q@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YVVjUaDCCaBndfaokO2m-zNpQRA>
Subject: Re: [CFRG] [Pqc] New Liaison Statement, "Quantum Safe Cryptographic Protocol Inventory"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Feb 2024 14:59:14 -0000
Bas Westerbaan writes: > The key point is the timescale. Within the proposed text for an IETF position, the text that I was commenting upon was "The idea that symmetric cryptography will be practically affected by CRQCs is now seen as a misconception". I don't see how the reader would expect "will" to be imposing a time limit. If the intention was to limit the statement to N years, then I'd like to know what N is (for comparison to the number of years stated as confidentiality requirements in various applications) and how exactly that value of N is supposed to be supported by the references cited. There is one timed statement elsewhere in the proposed text, namely "classical supercomputers might be able to brute force AES-128 around the year 2090", but I have other objections to that statement: (1) The reader understands "might ... around the year 2090" to mean that this risk _begins_ around the year 2090. The underlying data actually leads to much wider uncertainty intervals than that. (2) Special-purpose attack hardware is much faster than normal supercomputers for this cryptanalytic task. (See, e.g., https://cat.cr.yp.to/cryptattacktester-20231020.pdf#subsection.F.11 quantifying the speed advantage of Bitcoin-mining hardware.) (3) If 2^40 128-bit keys encrypt a known plaintext then one of the keys will be broken by an attack that is already feasible for large-scale attackers _today_. (For further comments on this, see https://blog.cr.yp.to/20151120-batchattacks.html.) The third point by itself is ample reason to move away from 128-bit keys. Trying to add multi-target protections into every use of 128-bit keys is much more complicated for designers and for security reviewers than simply upgrading to 256-bit keys. As an illustration of the complicated approach damaging security, consider * the collapse of the claim that "the FrodoKEM parameter sets comfortably match their target security levels with a large margin" and * the feasibility of a multi-ciphertext attack against FrodoKEM-640, coming from an attacker being able to test possibilities for a 128-bit key inside FrodoKEM-640. FrodoKEM was patched in 2023 to try to address the multi-ciphertext failure, but this doesn't rescue the "comfortably ... large margin" claim. Insisting on 256 bits everywhere would have avoided the entire security failure in the first place. Paul Wouters writes: > There is also a real environmental cost if every server switches from > say aes128 to aes256 for all its disk/network operations. What exactly does "real" mean here, and why exactly is the cost of using 256-bit keys being equated with the cost of using AES-256? I agree that AES-256 uses about 1.4x more bit operations than AES-128. But ChaCha20 * uses just 126 bitops/bit, which is 1.4x _fewer_ than AES-128; * has none of the key-expansion costs incurred by AES; * has much higher PRF security than AES-256; * has a much larger security margin than AES-256; and * has a 256-bit key, just like AES-256. ChaCha20 software has even larger advantages over AES software: it uses the fast addition circuits in CPUs, naturally eliminates the timing variations exploited in, e.g., https://eprint.iacr.org/2019/996, and ends up slaughtering AES in performance. Google---which seems satisfied with the smaller security margins of AES-256 and ChaCha12---rolled out ChaCha12 for flash encryption for "the next billion users": https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html To be clear, this doesn't mean ChaCha software will beat AES on a CPU that has AES _hardware_. To be concrete, let's look at Zen 3 speeds (since John Mattsson recently picked a Zen 3 CPU as an example): AES-256 runs at 0.58 cycles/byte with special AES hardware support, while ChaCha12 runs at 0.68 cycles/byte, so obviously switching from AES-128 to ChaCha on that CPU would cost cycles. But shouldn't we be more worried about a poor little Raspberry Pi 3, where SUPERCOP lists ChaCha12 as 3.52 cycles/byte and _variable-time_ AES-128 as 17.22 cycles/byte? More fundamentally, to _really_ save the environment, shouldn't we be pushing for a future where all CPUs have ChaCha directly in hardware? Think of the children! ---D. J. Bernstein
- Re: [CFRG] [Pqc] New Liaison Statement, "Quantum … D. J. Bernstein
- Re: [CFRG] New Liaison Statement, "Quantum Safe C… John Mattsson
- Re: [CFRG] [Pqc] New Liaison Statement, "Quantum … D. J. Bernstein