Re: [Cfrg] Applied Quantum Resistant Crypto
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 18 July 2018 08:10 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46ECC130F07 for <cfrg@ietfa.amsl.com>; Wed, 18 Jul 2018 01:10:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MM5Sdw36CJAw for <cfrg@ietfa.amsl.com>; Wed, 18 Jul 2018 01:10:51 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 396A4127148 for <cfrg@irtf.org>; Wed, 18 Jul 2018 01:10:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 9B8F654AC8; Wed, 18 Jul 2018 11:10:48 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Kgjizo_-8SeU; Wed, 18 Jul 2018 11:10:46 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id F0C112308; Wed, 18 Jul 2018 11:10:43 +0300 (EEST)
Date: Wed, 18 Jul 2018 11:10:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <20180718081043.GA18560@LK-Perkele-VII>
References: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> <37a4f236-6842-b1ce-68f4-805f2e3f8a48@cloudflare.com> <1b8ed08eaa56457b93e1dfd3b0e7235e@XCH-ALN-010.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1b8ed08eaa56457b93e1dfd3b0e7235e@XCH-ALN-010.cisco.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tYqZcc-SaZWfScSGfWZai_opbEU>
Subject: Re: [Cfrg] Applied Quantum Resistant Crypto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 08:10:54 -0000
On Wed, Jul 18, 2018 at 03:01:14AM +0000, Panos Kampanakis (pkampana) wrote: > Hi Kris, > > Thank you for the update. Interested to see your results and SIKE’s > performance. > > Were you thinking to use SIKE in TLS 1.3 a similar manner to the one > proposed in https://tools.ietf.org/html/draft-whyte-qsh-tls13-06 > which uses a hybrid approach (traditional+QRC) KEM? My own experiments on PQC (very small scale) have included: - HILA5+X25519 for key exchange in TLS 1.3. - LAKE(+X25519) for key exchange in TLS 1.3. - Falcon for signatures in TLS 1.3. - Dilithium for signatures in TLS 1.3. - Pushing Firefox 52 ESR (version is weird, this one supports -draft28, not -draft18 52ESR is supposed to have disabled-by-default) to the breaking point. The one I discovered was that 65536 by certificate or larger breaks it. The way I implemented hybrids was just to stick public key or ciphertext for KEM in the same key share payload as X25519 public key. Rationale for HILA5 was that it was the first CPA PQC KEM I found that: - Had small enough keys and ciphertexts (fits into TLS record without fragmentation). - Open enough reference implementation that was a proper library or easy to modify to be a proper library. Later for LAKE, the rationale was: - Had small enough keys and ciphertexts for fitting the TLS CH/SH into one packet. - Should admit implementation with decent speed using AES instructions. - No known IPR (funkily enough, some of the authors have one of the most annoying pieces of IPR when it comes to PQC). The reference implementation was in C++, and this was not acceptable, so I wrote my own implementation (the code looks horrible). This implementation is quite a bit faster than the timings reported for the reference one, but no order of magnitude improvement (since the library reference implementation uses for most operations is optimized). Rationale for Falcon: - There was a open enough library available. - The most compact signatures for in NISTPQC. Rationale for Dilithium: - No known IPR (Falcon has known IPR). - The second most compact signatures in NISTPQC. The reference implementation only supported one variant at at a time, so I ported the reference implementation to Rust, at the same time removing the one-variant restriction. The reason for finding breaking points of Firefox was to see what would be acceptable for signatures if one used scheme similar to what was proposed in draft-truskovsky-lamps-pq-hybrid-x509. The only relevant restriction I found was that certificates had to be 65535 bytes or less or Firefox would WSOD. I did not find other limits like limit on individual size of an extension. I think testing other browsers and non-browser clients for similar limits would be valuable, to discover what NISTPQC signature schemes are acceptable. Be creative in making the testcases, as the dominant limit can vary from client to client. The reason why one wants something like hybrid-x509 is that anything like past two algorithm transitions for WebPKI would be not acceptable if large quatum computers would be coming around in 15 years. Yes, with TLS 1.0 and 1.1 already dying, one could try to use the more advanced TLS 1.2 and 1.3 algorithm negotiation, but I am concerned how well it would work in real world due to missing server support in most servers. Because Certificate Transparency is also coming, and frequently is stapled into certificates, I internally used 1 key + 5 signatures in 60kB as the criteria. The unbroken NISTPQC algorithms that can meet this are (AFAICT): - Falcon - Dilithium - pqNTRUsign - qTESLA (heuristic only) - LUOV (Original round 1 submissions also had WalnutDSA and RankSign, but both were broken far beyond what simple parameter tweaks can fix). -Ilari
- [Cfrg] Applied Quantum Resistant Crypto Dr. Pala
- Re: [Cfrg] Applied Quantum Resistant Crypto CJ Tjhai
- Re: [Cfrg] Applied Quantum Resistant Crypto Kris Kwiatkowski
- Re: [Cfrg] Applied Quantum Resistant Crypto Panos Kampanakis (pkampana)
- Re: [Cfrg] Applied Quantum Resistant Crypto Ilari Liusvaara
- Re: [Cfrg] Applied Quantum Resistant Crypto Kris Kwiatkowski
- Re: [Cfrg] Applied Quantum Resistant Crypto Douglas Stebila
- Re: [Cfrg] [pkix] Applied Quantum Resistant Crypto Wirth, Klaus-Dieter