IETF Logo Mail Archive

[CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts

Martin Thomson <mt@lowentropy.net> Tue, 28 January 2025 03:08 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CCF2C15152D for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2025 19:08:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="X8k1koTI"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="osJyHHqH"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hiz70m_zR4mL for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2025 19:08:02 -0800 (PST)
Received: from fout-a6-smtp.messagingengine.com (fout-a6-smtp.messagingengine.com [103.168.172.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C442C15106A for <cfrg@irtf.org>; Mon, 27 Jan 2025 19:08:02 -0800 (PST)
Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfout.phl.internal (Postfix) with ESMTP id 44A4D1380B04; Mon, 27 Jan 2025 22:08:01 -0500 (EST)
Received: from phl-imap-08 ([10.202.2.84]) by phl-compute-05.internal (MEProxy); Mon, 27 Jan 2025 22:08:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm1; t=1738033681; x=1738120081; bh=T8+oi76FtSNan223dCkNneNr352Hv5s8 dRhHTC5A4FE=; b=X8k1koTIX2H3yFzfMzgBCAEyooKaU99Q3cH6LSAeriVU2+8b sj5DeuizoMXy7ysqLSGplFf6wr7zLpUD8eUyWrY3ZwHLsPz/p7PXaT3HfHSMJFM8 uv0T+Xb03j+4zCBqURvW34Ky/vjFY7TwcgwIglQNwpoAYQVy4UNAtPMS5QlJ8I79 Gk/EgxfDFrAR1ijCBRf82RjszhCjaAcUfFdbuHmtS82DTgPSWHs4Pbx8odCyZxx1 2ufItGNGu5DPDibHgLfgjgiizeDNlPxw6ftMumRhnV+cbyMfVS9lPVQ2Y+GzP036 HRGneYA9i4mdIVd7w3S0CPgIHXCCSLj0JY6CgQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1738033681; x= 1738120081; bh=T8+oi76FtSNan223dCkNneNr352Hv5s8dRhHTC5A4FE=; b=o sJyHHqHZzelw0prwCK+SwhQGbvg35OhGoUQRZULFJ25weaB3Ae6WKOhgHhPb/vQE WwpJxXI7/rYSUsw5WfoXf+BD1aXO5PAXPplVl8md0+7WZ+aYjiP2x4xJ5QAPkA8j lsv89GCh8OHvZ3c3eeNk3lvKDgv40KY4QZfxTojCbGsFv29QwA/VYxU90KT98n7y /QttZupiKJ/zV8lMGii0d1vJhFMJ3Zmk1dWvQa806sJDS8dEL57cg24zb/D2gPI1 NepmAp3UvX7ab5NWBBncHGlba4gOPu1IRPK2zh6AYBm8ULyVTSBSrAmwQJAXtUm6 Jw8OM8pk1Qx8s8fgvMDDA==
X-ME-Sender: <xms:EEqYZ9kR79I-uX-SP8RPe38TQq3wBFnwwRlhwultt8vzIYBnHQebDA> <xme:EEqYZ42r1YN5hBSG7_DQlD3cH5umlbC_nwLTki6Gxy-ON_IsVo-_5dNjeCCKc3L-W 9hPC7ljVhka0KEz78M>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudejgedgudegleeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgfgsehtjeertder tddtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnh htrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpedtvdetjeekgeelleelteekjefh teeivdekgfeujedvveduffehvdeftdevgefftdenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtpdhn sggprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeifrghtsh honhgslhgruggusehgmhgrihhlrdgtohhmpdhrtghpthhtoheptghfrhhgsehirhhtfhdr ohhrghdprhgtphhtthhopehthhhomhesthhhohhmfihighhgvghrshdrnhhl
X-ME-Proxy: <xmx:EEqYZzoRd30OK_E1kyv2xDEia9ASWII3SReLGguFGiNKjeiGemhpfw> <xmx:EEqYZ9ndh9fIN6x9vxqxlSZd89mc-9sGrKRLsDLPDPdJSXTN95ZmUA> <xmx:EEqYZ70vesSfrTrV_FM33CUqPfYzYBMDkAOIQL0GABttPQCA3H26nw> <xmx:EEqYZ8u9DNgWP_JrM6pPbf9Cw7Bhd2nn7cDSJSJ_dBL7ONb9tYuDpA> <xmx:EUqYZ5CXgj31c7jDs9HZRwqEkUl08kdJ7DBy6BlHEY20akrU7ViyeF28>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id D44FE18A006B; Mon, 27 Jan 2025 22:08:00 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: T2bd1c95a8e9a86ad
Date: Tue, 28 Jan 2025 14:07:40 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Thom Wiggers <thom@thomwiggers.nl>, Watson Ladd <watsonbladd@gmail.com>
Message-Id: <b7af8867-7386-4f03-b28a-cd5a32297ec4@betaapp.fastmail.com>
In-Reply-To: <CABzBS7kLoP7U=EpQmotCQntASFGcrLXpnSuTQ3i18W-W8Hf5QA@mail.gmail.com>
References: <CACsn0cnJ7TgnCp1GsSnRfJCY1rt+t2BBSadm0YkDM8tuL-pE+A@mail.gmail.com> <CAOp4FwR_E4hky7RehU4c1rsy1tFxDgUTfKRRuj3NxWBThC3sow@mail.gmail.com> <CABzBS7kLoP7U=EpQmotCQntASFGcrLXpnSuTQ3i18W-W8Hf5QA@mail.gmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: LMK4X4RRSGKRKJMLBQ5CPVYZE542QGE6
X-Message-ID-Hash: LMK4X4RRSGKRKJMLBQ5CPVYZE542QGE6
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aMps0DSgPM3efByRQeJWI5e0bBA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>


On Mon, Jan 27, 2025, at 20:02, Thom Wiggers wrote:
> For Classic McEliece, I think it would be helpful if people come 
> forward with concrete applications in which they're actually 
> wanting/trying to deploy Classic McEliece.

I think that it would be very useful to have McEliece available for both Oblivious HTTP and (maybe) ECH.  We have a few cases where the number of times that public keys transit the network are far fewer than the number of ciphertexts.  Obviously, a hybrid with X25519 is probably where I'd want to go with that.

With a 240 byte ciphertext (I had trouble finding a specific value, so this might be incorrect), that's quite a lot smaller than ML-KEM-768.  The ~800 bytes of saving per message means that you need to clear ~1200 messages for each public key transfer before the overall transfer cost is neutral.  But the likelihood that messages fit in a single packet is a huge gain that has value far beyond what a simple tally might suggest.

I mentioned ECH, though I suspect that we'd need to do some work there.  That is, both to get 1MB keys into DNS reliably (ECH configs are currently 71 bytes typically) as well as to improve caching and reuse so that the 1200:1 ratio could be realized.  Right now, I suspect that the ratio for ECH is closer to OHTTP can easily reach that sort of ratio, which makes McEliece a viable option there.

v2.29.0 | Report a Bug | By Email | System Status