IETF Logo Mail Archive

[TLS] Re: [EXT] Re: Boring cryptography, and the opposite extreme

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 15 April 2025 14:06 UTC

Return-Path: <prvs=8200351888=uri@ll.mit.edu>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1E1D71C42C1A; Tue, 15 Apr 2025 07:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.086
X-Spam-Level:
X-Spam-Status: No, score=-4.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFsxWO5CwUy1; Tue, 15 Apr 2025 07:06:35 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) by mail2.ietf.org (Postfix) with ESMTP id 2B3B21C42C0C; Tue, 15 Apr 2025 07:06:35 -0700 (PDT)
Received: from LLEX2019-02.mitll.ad.local (llex2019-02.llan.ll.mit.edu [172.25.4.98]) by MX2.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 53FE3gNc123783 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 15 Apr 2025 10:03:42 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ucRgkYCa6smv/rJIedzyBWeMqnbf0QPgY+84LcRFTZGasodE/EOjU0ZDo+ef/9pYEtwi33y+wK2iE/Dc0FXeGOVtsHO8EWC9/jlpz/KqdlGi7DAm+EKCSIZkTFu3mWgmR53AQEnscVrhccsM71WEm1q6LFw4YMevHe1lgtlgqicZt9/0UGehgdPmfDGgY4giv/+qJpi8S9Q+PMaPV2GZfR/utKRk8U7BIdsX+HQKhgOJCVgpzReH+s7lWQwdSHNRZgy6drMjm22Wo9RH5BaQbxisRVG5/x6sbfWXsrZ2svZsbPYnq3927R7drldes9B01TP45e71yAWoCFfANmdtbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r+IjPFisph1dihcoj5913hu734o9upLB9+HFXhw2YLA=; b=Lyw904hUVgikvo7wswmsFaBDDBHltMICcVOW/inBfW88sl1+ItZ/rirMFdr5ySqV6OvdeQr5+zfD6xu1dyRu7mW0p9QHSEvUCgWoKkFNjHLYGEmw/M/l9rbtRVGo09brNUSZ9zMYsUMlP50xP6r0PXo0HYhQl3qdLkmWCF5J5hbTSQxnyoBQ4UQjinbLe8e38kPf7dh6Fic3utIV2wrJvY5kZUpb76Zg8UGqO4DJ3fmGzPFqgzVpLdtm/nl1nszsIHGauMbqdcE/gPGhDOpTQPEvSTKPep31LbDTsbPC3kbTvRXqmUtNYvJU+hunC/5+GkHx2soDvxVeimzhUdV7OA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [EXT] [TLS] Re: Boring cryptography, and the opposite extreme
Thread-Index: AQHbreyl5hJpPR8nBEm7CKMoJZSG2rOkfuUAgABClWw=
Date: Tue, 15 Apr 2025 14:06:30 +0000
Message-ID: <BN0P110MB1419F74C1902A229108E039890B2A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <20250404181527.159292.qmail@cr.yp.to> <20250415095459.198093.qmail@cr.yp.to> <CAMjbhoViP8pHObYipqshh7H8m-AvdZEjgCKn4Z4OKj3dRwBtqg@mail.gmail.com>
In-Reply-To: <CAMjbhoViP8pHObYipqshh7H8m-AvdZEjgCKn4Z4OKj3dRwBtqg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|PH1P110MB1129:EE_
x-ms-office365-filtering-correlation-id: 746c4c83-2578-4bd3-005e-08dd7c26b8cb
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|366016|4022899009|1800799024|4013099003|8096899003|4053099003|13003099007|7053199007|38070700018;
x-microsoft-antispam-message-info: SXLRQklWZW+ukVuazSa4JRg/YQWv1hOe5T+qAkTWj9sNSqkFfjs5HScB39Df3JD3SS4axK3IfDoDubqqaS0FFlIB4mBn13Tn+0dQvHtlRvho6uApE4X2/pCJ5+Q5TW98hQ0yZUOPjbWmf3d3YG09eC6P4P/jJNGPbQqlziEWe+fL41mZGjGDmz1iGDjH3l92M1d8TwE707X7nS9qqWb2bM7Vltixe0XrXIdHMYacafCnugl3dZmQ11FLDuwejxOt+3AxrGgYPU3bTGBz5U2TPub/hch0EkoCYlf6Qp23HtfdNj/HgmxhX/QzopZp0KC9vLqCd3P6zR6CpnmDDDX+hqEkbOD3bn0Ps3oJ5kG+92z1LMu0C+/1wRMEnEuVoLd4eaJak7Ck7JdHXJrEfTTyAo9kwC+rTPmJEKli/NS2yWviciwnXB5oZKgUtou4i9hzcoR3ra3WWAf9TffIckCD91DPGoLxs+HKQaIYvaY/fWC7q2f5wtkUA7OwF9jgAnK+xRln2rbRCgxRqa6MGWYHu2ZNUUpDWUaiq+fWJUaa3XVb2sGwZTnuhS6XTgsZZMBFmN0EjxCJEzHTA43XACsBymrEvAVbnm9iF3Cjl+dximKc8nv3dEKcvXBRLrietLDEiWAbwztYDCX/ndPKeX8NzDgdc+FeZtbeZCplxFqp2WNv9JEDVcFus025tzAMCWdWHICgE3gq/CiVnX6SI0KNDKOU3u1J/6FMjMilreWNxaSnNCwGLd/k4/Yfofh7VEzLnHWbQ5jU3TrzeGbOVsobddCQwcWhxBf54w8oYscp+Dxotb6oRtTr6FT3h4vuInqTdWXNrrObDk2yLplWtkEvWjm0X4OgdaFMdlBlNj/7rZ+k+Y/SwtS0VpxNik7o2oUbhn2NkTDD3sv0nsH1RYawBWIQc9+23xcAOBdMGkK9pzMmr16SuNh9VJH+lYHyJufMe75fZChuPO2hGejsKnqa5Kbu8MGg728ZK0cCpO2VjRCu/uv/AupvH4eenJyijYvgqiakiXMsQ1SGqjZjm+wuD6C0bju5qfk0mIb43y1zbrZd5mt5VGXGQs+hOvCe+I3cNfGuWCiVmqbDuqJqSE+yj4eheBP58aAEjwtJ0SsD09kHwuNZIiETMgKJcVH9ee2kFxoLlAQjAx5lwZgaUZ2I9ZtNaH23CNe4qSR47QnVfMQVXYDiGmFqEmejev80CyMAtyqQDaCad7HdjXaqAgTc+mBifgvOBtGH+GGgce+IKmiz4NBRbT+zZzfw7xJVbN5cIAWxnH/wlWLukgZxYywDyec3xg3APUhLMR+xHIGls1MW6MVniyo6FEVBh1ILT/Mru8kx7GoN1aEp5Z36RlUO+5CiSQCFCGJ7tFA9/YFIekU=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(4022899009)(1800799024)(4013099003)(8096899003)(4053099003)(13003099007)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: u4A9ainRYLpMHCsdaL6iywc6OL7+/niJjy/19DgSx722jiEr8qzG2K/tzl70Sl8cEpDeY3cDjzWzg6Bi4KyoitzE0uPTMjQI1G9Ud8yv1G2CVxrwIameMdzZsp9ajZx9wn3hr3y7ZiHv6w7KDHKT+WaiwMtUpmQ1JMP1mPAVGdWEcG2qlrJBvhBbA3uD9p8r/Cvw1T9nBfEkUgLZWhp8W6gDnI5bb1ONL4C6vVRkfrZ3n7o1H8kcGrH+iIHe321Twd9fk+zXdg4W/RRgn7QrqVD5SyDaADQQnrC+xNgJzQlpQd/vgLpAFeI8jPjk8NvoCUhmNzVA/GXBkg6WA7cg47GBh2z/H+R66w/WC+T2revQH/oqoejqJVk6LDRTZyvw57Ywvkn4OU3Q/dq20DWTooRk0Zti307v/mCYzaLj9v1t7/QWFHXW12Ek0y3PuOkZL3uj+y3VafQ6Y/oOlaQreP1EQnVg8IfjhlSBGIgFxerB0EDVukHl2a8+raQhhla1gzKZZFgl5VyIbwZM71DXeSwwjcMLlCMuF9j0Xh0QiBRn04H0bj1VDdMkYZcplIL8tj6899woLgQaef23aopqaYPhO20IECVeJI4vQIYNPR3XDqdp6TH2CNAvl/91u3K4Idrjjsz6fRMfHYmnS6hwJiWL24+RoOmEzkbvpapc/BN/0O37wkhxFh95AxTA84dEOQrTCQm75mYWaq5tEnvmRr4G/QPPbMrmmzvhcKAdrmxLoBMKchjcxblBHotibx0bAS9BCHq52wNY0WSR9QV4zsX7GOQCeKwIV6a43duc4Zh53FslcVFtHgxTQhFQe9uTbKOK6r9A1VsIuzkTPaWtnwax0w808K1XkW9pinxKMibGP2fNKrdqRrdO2Nd83Tucdz4Ci7S/gAViuE0yyBZ7enww/xjccxYZS3k8b5YlVxAofdlVSsRyJVZ8mQkFi4KFaVabOhGRH4E32NoX3+0i94mNBqSmiUhqfYyFMzfkK2QoS8X+C2M4ukozFKivY4p5KoB9+hc7jZgiSypeaCPjGo3k7eVVu4Czil/RfheZL/mIgQY1aWuc3v/cN7lwWXUiuIp+tZwmNHZgusVIX6Fce8AR36HSAFGFfP1RP9Zahatruvxdhs/q+10OkUNJK4cK3VlZTDNT/rMYtrpoCY6RmzoUg1f/hOang+Gsmqi7zWiubdDWEbRBCu6KIJO0ePsJhqSqrh//AXLsVHNa9IgQliuIRdIPYd5IQXnHhPLrC/iRma9GBoAaL9Hxxbgt33QSff0GYuRhMcP67Lud9CLCDv9w7VysKzndZ/POCJlA3GTloqiOP0ah20i0dxotLu7AvwA59tcATUZQPy9X2HI5pu4Tacq4DhKMP9IoPYtoAeVbQWPcgmKXCgBGHE0Bn77eor4V1MjIllOiQTjHicu/iLsbbjB/PwVhf+WeRNH6Y5EA55++FNfUWA83F2enCsVPBTtx3yBr6hE578ZbTGIwBM/BIWhUSo9EKQUOGZ0x91CrFxMhn1vr9aorvPm4viW4
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_14671795-BF90-0640-85C4-799A2C576030_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 746c4c83-2578-4bd3-005e-08dd7c26b8cb
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2025 14:06:30.6874 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH1P110MB1129
X-Proofpoint-ORIG-GUID: KTrQp9sUp6-aB5WECdxwzmNQ504nyCFg
X-Proofpoint-GUID: KTrQp9sUp6-aB5WECdxwzmNQ504nyCFg
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-15_06,2025-04-15_01,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxscore=0 bulkscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2502280000 definitions=main-2504150099
Message-ID-Hash: DUXP6U6OM62KMFM6CRLYWPUDOL7XN4HA
X-Message-ID-Hash: DUXP6U6OM62KMFM6CRLYWPUDOL7XN4HA
X-MailFrom: prvs=8200351888=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: Boring cryptography, and the opposite extreme
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2gMgvIZSnfFi47D__cgxFP8p6KQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Thank you, Bas! And to save time for those who don’t want to follow the NIST mailing list trail – here’s the response from Leo Ducas posted there: 

Dear All,

Thank you, Kevin, Charles, Yixin, Jean-Pierre for your careful analysis and report.

While most of the points below are acknowledged in your paper, I would like to highlight the specific cost modeling points that deserve further consideration, to contextualize the numbers you advertised, and invite further work:

A/ As noted on footnote 6, the current estimate uses a GSA slope for the output of BKZ, but use a progressive-BKZ costing, undercosting lattice reduction by 2.5 bits [1] 

B/ These estimations do not include overheads documented in [2], of about 5 bits at security level 1. 

C/ The costs C_add=160 and C_mult=1024 are questionable, given that one runs an FFT on more than 2^100 scalars. These costs suggest a calculation at 32 bits of precisions, which may lead to numerical error beyond the precision required to detect the solution among the so many candidates. 

It should be noted that item B/ applies to both primal and dual attacks: the current best estimate for the primal attack [3] also doesn't include that overhead. Item A/ and C/ are specific to the current analysis of dual attacks.

With A/ and C/ in mind, it seems that the primal and dual attacks are neck-to-neck, and therefore agree with your conclusion that the dual attack should not be dismissed. With B/ in mind, there remains a few bits to be gained by cryptanalysts before the security levels would be convincingly crossed. 

[1] https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/BZFRC8hiAAAJ <_blank> 

[2] https://eprint.iacr.org/2022/922 <_blank>
Estimating the Hidden Overheads in the BDGL Lattice Sieving Algorithm
Léo Ducas 

[3] https://eprint.iacr.org/2024/067 <_blank>
A Refined Hardness Estimation of LWE in Two-step Mode
Wenwen Xia, Leizhang Wang, Geng Wang, Dawu Gu, Baocang Wang

-- Léo 

-- 
V/R, 
Uri 


From: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Date: Tuesday, April 15, 2025 at 06:04
To: tls@ietf.org <tls@ietf.org>
Subject: [EXT] [TLS] Re: Boring cryptography, and the opposite extreme 

For everyone's convenience: https: //groups. google. com/a/list. nist. gov/g/pqc-forum/c/RsQbm_AQfzs/m/19o76lsyCwAJ On Tue, Apr 15, 2025 at 11: 55 AM D. J. Bernstein <djb@ cr. yp. to> wrote: A message has just appeared on pqc-forum claiming 

ZjQcmQRYFpfptBannerStart 

This Message Is From an External Sender 

This message came from outside the Laboratory. 





ZjQcmQRYFpfptBannerEnd 

For everyone's convenience: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/RsQbm_AQfzs/m/19o76lsyCwAJ <https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/RsQbm_AQfzs/m/19o76lsyCwAJ> 




On Tue, Apr 15, 2025 at 11:55 AM D. J. Bernstein <djb@cr.yp.to <mailto:djb@cr.yp.to>> wrote: 

A message has just appeared on pqc-forum claiming yet another attack
improvement against lattices---improving what are called "dual" attacks
and breaking earlier claims about those attacks not working; concretely,
reducing "the security of Kyber-512/768/1024 by approximately
3.5/11.9/12.3 bits" below Kyber's security goals in the same cost model
used in the round-3 Kyber submission.

For comparison, the round-3 Kyber security analysis had claimed that
"primal" attacks for round-3 Kyber-512 (after patches to Kyber-512 in
response to earlier security issues) were ~10 bits above the goals, and
that dual attacks were "significantly more expensive" than that.

The "significantly" slowdown wasn't quantified, so the reader is left
not even knowing how much improvement there has been. Did these 5 years
of public attack development reduce the costs of Kyber-512 dual attacks
by 20 bits? 30 bits? As for the future, how much farther will the cliff
crumble? We don't know. Continued excitement for researchers! Lattice
attacks today are far less stable than ECC attacks were two decades ago.

To be clear, I'm not opposing efforts to roll out post-quantum systems:
on the contrary, we have to _try_ to stop quantum attacks. I'm simply
saying that we shouldn't be ripping out seatbelts.

---D. J. Bernstein

_______________________________________________
TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>

v2.30.2 | Report a Bug | By Email | System Status