Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
Hubert Kario <hkario@redhat.com> Wed, 21 February 2024 16:15 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75A9EC14F70A for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 08:15:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2x0mZ0TgKXI for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 08:15:54 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21606C14F6B1 for <cfrg@irtf.org>; Wed, 21 Feb 2024 08:15:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1708532153; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A4aacfbQgAfxQLO3vqo8tod5rRUtUiWA/5jDMrQGwwk=; b=CTXHG/QxyVm7sfQMjnE7mE+/J9m7P7EHOGdGbjfq6DHrI9pNauIHpfspRiZzVoe6OpUhVw Jw2SEp6bkX5ZcGMiXKiYSu/u+9lQyj26L8+xTUWKtWFiAKvfr9vthx7mnQf3ZMXt/WOOUt oVHd8EU7jgkeJxldi6pW7bFXrDs9smg=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-426-IDwpe7uwPESCDa3yfrcEow-1; Wed, 21 Feb 2024 11:15:51 -0500
X-MC-Unique: IDwpe7uwPESCDa3yfrcEow-1
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-33d0d313b81so2971726f8f.3 for <cfrg@irtf.org>; Wed, 21 Feb 2024 08:15:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708532150; x=1709136950; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PXP0HgYWmhb8ftpPct8Th/3Uhk2wcO5eo3vn06ZUu0U=; b=H3GAHRiLtlI4HfwJayposCzwg5KgcEPggCIHmC6k4/Xv+euRZjAT246TPB3UKgI4V5 1D1qBsHD8q6SyGIE14hatwymrqzVjhmhhz4XYnlXvV5ndv1/2z2AcPD86KEd9ug2YClr c3nSiCncNtB1hptMmA1lPNVxuxk1OrMlXGve4+oL/etAniymJm81R0BCxKgTDL1I5Aou 6j5RCpE15fAyJAfDDWJbvsNRtzBBF551xa3Szegk7AxiAIUit2ZZBbDNNN6cR0PRYTIn 53bqqUUmZMNb4C7ZSHftiMLjTtwofChg182tpS8HROgOGh0kO799wb3MaRWGfmgkWMoT sSzg==
X-Forwarded-Encrypted: i=1; AJvYcCUML6CkjWFxOPSWWT23PVs4W/7iyZwVcDJ5Q+hTHienmxgfL5Qwghe9gitAZUxjpOZIgaO5pC/4I6ymfUtj
X-Gm-Message-State: AOJu0YyZZjZe9aYvqrGnNASb97usViMIuLtVl/76UcrGxgLq/F46Mzpu j0HnOlNiLBaxggpS/KEAWG5z2sL9+8v/O/SSTYJwfo5N92CACuOnMjKeOcTRLnUTXhJQlYnoG9+ 3cuDtTLrTQvaqmBZCu17/29r4d/6nyG/BNnVXn692GzjDqtWIAQ==
X-Received: by 2002:a5d:50d2:0:b0:33d:5272:6a8f with SMTP id f18-20020a5d50d2000000b0033d52726a8fmr5758030wrt.14.1708532150381; Wed, 21 Feb 2024 08:15:50 -0800 (PST)
X-Google-Smtp-Source: AGHT+IE8IHaub4n+lrnxXEVYtWEI97gh7wm/0TCGbM7P72/2mMa6L+Qnijvq8BKCLaSG7FOME8a4tw==
X-Received: by 2002:a5d:50d2:0:b0:33d:5272:6a8f with SMTP id f18-20020a5d50d2000000b0033d52726a8fmr5758015wrt.14.1708532150025; Wed, 21 Feb 2024 08:15:50 -0800 (PST)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id x6-20020adff0c6000000b0033cfc035940sm17254380wro.34.2024.02.21.08.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 08:15:49 -0800 (PST)
From: Hubert Kario <hkario@redhat.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, CFRG <cfrg@irtf.org>
Date: Wed, 21 Feb 2024 17:15:48 +0100
MIME-Version: 1.0
Message-ID: <e1369b3b-d279-4f28-9076-71b1c20a55f5@redhat.com>
In-Reply-To: <CH0PR11MB5739C6CE875CB324341DA1859F572@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CACsn0cmHNUGvDLctDKE4OUAWZiu3Ukj14hPBdP5Pd6B20CH44g@mail.gmail.com> <CH0PR11MB57392D1AD5E11B0F9813D09C9F502@CH0PR11MB5739.namprd11.prod.outlook.com> <CACsn0cm5Mk4fe-0V7ZvqnMrgm-yLEYxBtdvZCY6_2bFNMDKYqQ@mail.gmail.com> <CH0PR11MB57397410451311E1F310858B9F502@CH0PR11MB5739.namprd11.prod.outlook.com> <f0f38c7f-709a-4831-adec-5b74e5472eca@redhat.com> <CH0PR11MB5739B79C1BC69F91187663A79F572@CH0PR11MB5739.namprd11.prod.outlook.com> <87dcfb15-293a-4cfc-b264-c19ef5496bcc@redhat.com> <CH0PR11MB573995927633B3F2E46F79519F572@CH0PR11MB5739.namprd11.prod.outlook.com> <aa9dedf2-d3ff-4899-939f-31717c373329@redhat.com> <CH0PR11MB5739C6CE875CB324341DA1859F572@CH0PR11MB5739.namprd11.prod.outlook.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.11; xcb; Linux; Fedora release 38 (Thirty Eight)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/stkjAubfQQcO1gpVygbLVno4keQ>
Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 16:15:58 -0000
On Wednesday, 21 February 2024 16:59:28 CET, Mike Ounsworth wrote: >> For JWA/JWE PKCS#1v1.5 is already dead: no browser allows PKCS#1v1.5 >> encryption in webcrypto API. > > You’re trying to claim that JWE is only used in browsers? > Backend-to-backend JWE doesn’t count? > > PKCS#1v1.5 encryption still seems to be supported in the two > largest JWE libraries for java: > > https://javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/index.html > > https://javadoc.io/doc/org.bitbucket.b_c/jose4j/latest/org/jose4j/jwe/RsaKeyManagementAlgorithm.Rsa1_5.html > fair point > >> Now in the wider context: Will there people that continue to do stupid >> things? Absolutely. >> Should we make it easy for them to do stupid things? I don't think so. > > This is a fair point, but I would phrase it as “If we know that > people are going to do stupid things anyway, can we help them do > it less stupidly?” and that is the "define RSA-OAEP+Kyber" > --- > Mike Ounsworth > > From: Hubert Kario <hkario@redhat.com> > Sent: Wednesday, February 21, 2024 9:52 AM > To: Mike Ounsworth <Mike.Ounsworth@entrust.com> > Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org> > Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids" > > Not aware of anything CMS specific. My draft is a general > recommendation. For JWA/JWE PKCS#1v1. 5 is already dead: no > browser allows PKCS#1v1. 5 encryption in webcrypto API. Now in > the wider context: Will there people that continue to do stupid > Not aware of anything CMS specific. > My draft is a general recommendation. > For JWA/JWE PKCS#1v1.5 is already dead: no browser allows PKCS#1v1.5 > encryption in webcrypto API. > > Now in the wider context: Will there people that continue to do stupid > things? Absolutely. > Should we make it easy for them to do stupid things? I don't think so. > > On Wednesday, 21 February 2024 16:37:30 CET, Mike Ounsworth wrote: >> Hi Hubert, >> >> That’s a TLS-specific draft. Is there anything that would cover >> PKCS#1 usage in CMS or JOSE (JWA)? >> >> --- >> Mike Ounsworth >> >> From: Hubert Kario <hkario@redhat.com> >> Sent: Wednesday, February 21, 2024 9:30 AM >> To: Mike Ounsworth <Mike.Ounsworth@entrust.com> >> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org> >> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids" >> >> On Wednesday, 21 February 2024 16: 12: 58 CET, Mike Ounsworth >> wrote: >> If we don't provide OIDs for combined PKCS#1/Kyber, >> then people won't > be using it. > > That’s optimistic 😊 > I >> think it means that people won’t be using >> On Wednesday, 21 February 2024 16:12:58 CET, Mike Ounsworth wrote: >>>> If we don't provide OIDs for combined PKCS#1/Kyber, then people won't >>> be using it. >>> >>> That’s optimistic 😊 >>> I think it means that people won’t be using it in a >>> standardized and peer-reviewed way, which might be worse. >>> >>> Hypothetical situation: an organization has a FIPS certified >>> implementation of RSAencryption-PKCS#1v1.5. >> >> It's purely hypothetical, as in FIPS mode you're not allowed to use >> PKCS#1v1.5 since 1st of January 2024, no matter when your cryptographic >> module received certification. >> >>> Once FIPS 203 drops >>> in June – August 2024, it will take X years go get ML-KEM >>> through the FIPS certification, but in the meantime they can >>> claim FIPS-certification on a PKCS#1/Kyber hybrid. If the IETF >>> is only giving OIDs for OAEP/Kyber and RSA-KEM/Kyber, then they >>> will have to implement new OAEP or RSA-KEM code and run that >>> through FIPS certification that will equivalently take X years. >>> That’s a strong reason to use PKCS#1/Kyber, whether or not the >>> IETF has provided an OID for it. >>> >>> I’m not necessarily saying that people *are* going to do this >>> (I need to do some homework here too), but I think that *IF* >>> people are going to do this, then it’s probably worth doing >>> properly in a standardized and peer-reviewed way. >>> >>> By the way #1: Is there an RFC that formally deprecates >>> RSAencryption-PKCS#1v1.5? >> >> not yet: >> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/__;!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYV4YH46I$ >> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/__;!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYPz0v_RM$ >> >> but it's basically a done deal at this point >> >>> By the way #2: no argument that RSA-OAEP is in all ways better, >>> but for my education, I am aware of the Bleichenbacher attack, >>> and that there exist many bad implementations of PKCS#1v1.5, but >>> also that in absence of an exploitable decryption oracle, right? >> >> The whole issue with PKCS#1v1.5 is that padding check error is the >> information >> that the attacker is looking for. >> >> Normal way of handling errors is to raise an exception, or >> push it to error >> stack, or do 100 other ways that triggers a different code path than >> regular decryption. That means that error processing generally will have >> a different timing characteristic than successful decryption, making >> the attack easy. >> >> Handling that error in side-channel free way requires two page-long >> description >> in the TLS RFC >> (https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc5246*section-7.4.7.1__;Iw!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYqRHgGGk$) >>and the TLS gets away with it only because the PMS is also mixed with >> ServerHello.random before using it for encryption key derivation. >> Protocols like CMS don't have that luxury. >> >>> Also, >>> >>> --- >>> Mike Ounsworth >>> >>> From: Hubert Kario <hkario@redhat.com> >>> Sent: Wednesday, February 21, 2024 8:22 AM >>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com> >>> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org> >>> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids" >>> >>> On Wednesday, 21 February 2024 00: 07: 25 CET, Mike Ounsworth >>> wrote: > Hi Watson, Sophie, Hubert, > > I’ll reply all at once. >>> > > > The point of having ML-KEM + RSA hybrids is not about >>> reusing > *keys*, which I agree should >>> On Wednesday, 21 February 2024 00:07:25 CET, Mike Ounsworth wrote: >>>> Hi Watson, Sophie, Hubert, >>>> >>>> I’ll reply all at once. >>>> >>>> >>>> The point of having ML-KEM + RSA hybrids is not about reusing >>>> *keys*, which I agree should not be done, but about reusing >>>> *code*. For the ultra-conservative crowd, being able to put >>>> their existing code (again, “code”, not “keys”) into hybrid >>>> reduces the migration risk. >>>> >>>> Hubert, I am not trying to suggest that RSA_PKCS#1v1.5 is >>>> acceptable in any academic sense, but I am suggesting that it >>>> still very much exists in the wild in applications which need >>>> migrate-out strategies. If you want to leverage ML-KEM in >>>> addition to your existing codebase, and your existing codebase >>>> is RSA_PKCS#1v1.5, then that is what you will do. >>> >>> That would make sense only if your code base implements PKCS#1v1.5 >>> properly, and the chances for that are slim to none. >>> >>> The list on Marvin Attack page is over 30 implementations long >>> _because I tested just over 30 implementations._ Of all the ones >>> tested only two turned out to be side-channel safe. >>> >>> People's efforts are far better spent making sure that OAEP >>> is implemented >>> correctly than wrangling PKCS#1v1.5 to make it side-channel free. >>> Implementing OAEP from scratch will be easier than implementing >>> PKCS#1v1.5 in side-channel free way. >>> >>>> I suppose it is one possible outcome here for the IRTF / IETF >>>> to say that RSA-PKCS#1 and/or RSA-OAEP and/or RSA-KEM are >>>> deprecated and the IRTF / IETF will not be standardizing ML-KEM >>>> + RSA hybrids. That will not prevent people from doing it, it >>>> will just prevent people from doing it in standardized and >>>> peer-reviewed ways. >>> >>> If we don't provide OIDs for combined PKCS#1/Kyber, then people won't >>> be using it. >>> >>>> --- >>>> Mike Ounsworth >>>> >>>> From: Watson Ladd <watsonbladd@gmail.com> >>>> Sent: Tuesday, February 20, 2024 3:15 PM >>>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com> >>>> Cc: CFRG <cfrg@irtf.org> >>>> Subject: Re: [EXTERNAL] [CFRG] What I want from the "KEM hybrids" >>>> >>>> On Tue, Feb 20, 2024, 1: 06 PM Mike Ounsworth >>>> <Mike. Ounsworth@ entrust. com> wrote: > > Hey Watson, > > > > I >>>> could come around to this viewpoint that CFRG should not >>>> standardize a generic KEM combiner, but instead publish >>>> On Tue, Feb 20, 2024, 1:06 PM Mike Ounsworth >>>> <Mike.Ounsworth@entrust.com> wrote: >>>>> >>>>> Hey Watson, >>>>> >>>>> >>>>> >>>>> I could come around to this viewpoint that CFRG should not >>>>> standardize a generic KEM combiner, but instead publish a suite >>>>> of specific-algorithm combiners. >>>>> >>>>> >>>>> >>>>> The question then becomes: “which algorithms need to be >>>>> supported on the Internet during the PQC migration period?” >>>>> The answer is probably some subset of {ML-KEM, NTRU, Classic >>>>> McEliece} X {X25519, X448, ECDH{P*, Brainpool*}, RSA-KEM, >>>>> RSA-PKCS#1, RSA-OAEP}. Then we get into the game of trying to >>>>> figure out which of those combinations have enough usage to >>>>> motivate their own spec. >>>> >>>> >>>> I'm not convinced we need any RSA options. You shouldn't reuse key >>>> material for this. >>>> >>>> Why Brainpool? It's not deployed widely. ECDHP makes sense for >>>> FedRAMP/FIPS issues but I won't cry if we say X25519 alone because >>>> that is permitted now even if certificates aren't quite updated. There >>>> needs to be a strong rationale for each additional variation, because >>>> the more you fill out the cartesian product the more tempting a >>>> generic interface that application users will misuse becomes. >>>> >>>>> >>>>> >>>>> >>>>> The alternative is that CFRG publish a few optimized >>>>> combinations, like ML-KEM+x25519, and a lower-performance >>>>> generic combiner for “the rest”. >>>> >>>> There is no generic interface here: RSA-OAEP, ECDH, are different in >>>> ways that matter for security. >>>> >>>> Sincerely, >>>> Watson >>> >> > -- Regards, Hubert Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
- [CFRG] (no subject) D. J. Bernstein
- Re: [CFRG] (no subject) Andy Lutomirski
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- [CFRG] What I want from the "KEM hybrids" Watson Ladd
- Re: [CFRG] What I want from the "KEM hybrids" Filippo Valsorda
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Sophie Schmieg
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Hubert Kario
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Neil Madden
- Re: [CFRG] [EXTERNAL] Re: [EXT] What I want from … Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Watson Ladd
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] What I want from the "KEM hybrids" D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Watson Ladd
- Re: [CFRG] What I want from the "KEM hybrids" Filippo Valsorda
- Re: [CFRG] What I want from the "KEM hybrids" Salz, Rich
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Salz, Rich
- Re: [CFRG] What I want from the "KEM hybrids" Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: (no subject) Watson Ladd
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Peter Gutmann
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Watson Ladd
- Re: [CFRG] (no subject) Filippo Valsorda
- Re: [CFRG] [EXTERNAL] Re: (no subject) Natanael
- Re: [CFRG] (no subject) Watson Ladd
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] [EXTERNAL] Re: (no subject) Watson Ladd
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] [EXTERNAL] Re: (no subject) Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: (no subject) Watson Ladd
- Re: [CFRG] [EXT] Re: [EXTERNAL] Re: (no subject) Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Carl Wallace
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Santosh Chokhani
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Santosh Chokhani
- Re: [CFRG] Millions of dollars of hashing Ilari Liusvaara
- [CFRG] Combiners: is the tail capable of wagging … D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] Millions of dollars of hashing Bas Westerbaan
- Re: [CFRG] Millions of dollars of hashing Sophie Schmieg
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- [CFRG] Why we use ECDH instead of traditional DH D. J. Bernstein
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Mike Ounsworth
- Re: [CFRG] Tens of millions of dollars of CPU cyc… D. J. Bernstein
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] Millions of dollars of hashing Adam Langley
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Ilari Liusvaara
- Re: [CFRG] Proposed CFRG hybrid KEM scope Simon Josefsson
- Re: [CFRG] stick to kems maybe (Re: [EXTERNAL] Re… Mike Ounsworth
- Re: [CFRG] Proposed CFRG hybrid KEM scope Loganaden Velvindron
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Ilari Liusvaara
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Bas Westerbaan
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Ilari Liusvaara
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] Millions of dollars of hashing Peter Gutmann
- Re: [CFRG] Millions of dollars of hashing Adam Langley
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Millions of dollars of hashing John Mattsson
- Re: [CFRG] What I want from the "KEM hybrids" Jeffrey Burdges
- Re: [CFRG] Millions of dollars of hashing Sophie Schmieg
- Re: [CFRG] Why we use ECDH instead of traditional… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Millions of dollars of hashing Neil Madden
- Re: [CFRG] Millions of dollars of hashing Sophie Schmieg
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Millions of dollars of hashing Eric Rescorla
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Bas Westerbaan
- Re: [CFRG] Millions of dollars of hashing Peter Gutmann
- [CFRG] Tens of millions of dollars of CPU cycles D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- [CFRG] stick to kems maybe (Re: [EXTERNAL] Re: (n… Stephen Farrell
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Neil Madden
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Neil Madden
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] [EXT] Re: [EXTERNAL] What I want from … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Salz, Rich
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Sophie Schmieg
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Peter Gutmann
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Peter Gutmann
- Re: [CFRG] Tens of millions of dollars of CPU cyc… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Santosh Chokhani
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Peter Gutmann
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Salz, Rich
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Chris Barber
- Re: [CFRG] Tens of millions of dollars of CPU cyc… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: (no subject) Sophie Schmieg
- Re: [CFRG] Why we use ECDH instead of traditional… Ilari Liusvaara