[TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3

Bas Westerbaan <bas@cloudflare.com> Wed, 16 April 2025 08:21 UTC

MIME-Version: 1.0
References: <582917A1-F936-4A15-AE9D-342076605BE7@sn3rd.com> <F347DA21-EB06-4FBF-B357-871A0FFA8DB1@sn3rd.com> <Z/7lbXqb8QHruMS2@akamai.com> <05bd6aa6-4b41-4bdc-8875-d380924031cf@cs.tcd.ie> <IA1PR17MB6421EBF2FDA5B4395C92D6D3CDBD2@IA1PR17MB6421.namprd17.prod.outlook.com> <73c3de1d-a9ee-43ee-8a71-ac1fe28ca467@cs.tcd.ie> <IA1PR17MB6421FCBACFA92AF01342D2FDCDBD2@IA1PR17MB6421.namprd17.prod.outlook.com> <c19d4aab928747fc3e702bdad7bf22ddf120ff9f.camel@aisec.fraunhofer.de>
In-Reply-To: <c19d4aab928747fc3e702bdad7bf22ddf120ff9f.camel@aisec.fraunhofer.de>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 16 Apr 2025 10:21:09 +0200
Message-ID: <CAMjbhoWMz180cGYrOM8S+KUkEP34rxCVtcw59hMW+vZv-FgCqw@mail.gmail.com>
To: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
Content-Type: multipart/alternative; boundary="00000000000055be840632e0f850"
Message-ID-Hash: 5VWC7LZAAXV5JFIYCBM7UYI6OOU4TCPZ
CC: "rsalz=40akamai.com@dmarc.ietf.org" <rsalz=40akamai.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Precedence: list
Subject: [TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-pjWkZhvhABqEfn685AEs4WoIhU>

On Wed, Apr 16, 2025 at 10:15 AM Bellebaum, Thomas <
thomas.bellebaum@aisec.fraunhofer.de> wrote:

> > That’s easy to answer: “many of our members have very
> hardware-constrained PoS devices.” Is that okay?
>
> Some context:
>
> Kyber requires several KB of RAM space according to [1], figure 1:
>
> KG = KeyGen, E=Encaps, D=Decaps, H=Heap, S=Stack
>
> Alg       | KG(H) | KG(S) | E(H)  | E(S)  | D(H)  | D(S)
> ----------+-------+-------+-------+-------+-------+------
> Kyber1024 |13,480 |16,488 |10,736 |19,024 |10,768 |20,304
> Kyber512  |11,176 | 7,208 | 7,632 | 9,072 | 7,664 | 9,856
> Kyber768  |12,328 |11,304 | 9,104 |13,680 | 9,136 |14,784
>

This is misleading. There are many implementations of Kyber that require
much less memory. See eg [1] from 2019 where Kyber-512 only requires 2736
bytes.

By the way, for key agreement, between keygen and decapsulation, a client
only needs to keep around the private key seed (64 bytes).


> For comparison, [2] is an implementation of Curve25519 using no heap space.
> On an ATmega128, it uses 462 bytes of stack space for a curve
> multiplication.
>
> While these numbers are not comparable as is (C25519 does not include the
> KEM-Hash, Architectures are different, I am unconvinced that Kyber was
> fully optimized for this in [1]), the difference is striking enough to ask
> a follow up:
>
> Are there concrete devices/scenarios supporting ML-KEM + an application,
> but not ML-KEM + X25519 + an application, especially since the memory
> necessary to store two X25519 keys and a DH-KEM session key during the
> ML-KEM computations is 3*32 bytes?
>
> -- TBB
>

Best,

 Bas

[1] https://cryptojedi.org/papers/nttm4-20190513.pdf

[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… John Mattsson
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Thom Wiggers
[TLS] WG Adoption Call for ML-KEM Post-Quantum Ke… Sean Turner
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Russ Housley
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rebecca Guthrie
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaroslav Rosomakho
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sun Shuzhou
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Martin Thomson
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaakov Stein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Kris Kwiatkowski
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Jan Schaumann
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Alicja Kario
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… tirumal reddy
[TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Yaakov Stein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Joseph Birr-Pixton
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
[TLS] Boring cryptography, and the opposite extre… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Andrei Popov
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Scott Fluhrer (sfluhrer)
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Boring cryptography, and the opposite e… D. J. Bernstein
[TLS] Re: Boring cryptography, and the opposite e… Bas Westerbaan
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Quynh Dang
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Andrey Jivsov
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Benjamin Kaduk
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
[TLS] Re: [EXT] Re: Boring cryptography, and the … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Nico Williams
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Andrei Popov
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
[TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Deirdre Connolly
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Benjamin Kaduk
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Watson Ladd
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Andrey Jivsov
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… S Moonesamy
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… S Moonesamy