IETF Logo Mail Archive

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

Phillip Hallam-Baker <ietf@hallambaker.com> Sat, 06 August 2022 17:07 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77550C157B37 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2022 10:07:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.431
X-Spam-Level:
X-Spam-Status: No, score=-1.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcKcuI5eHqwC for <tls@ietfa.amsl.com>; Sat, 6 Aug 2022 10:07:44 -0700 (PDT)
Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com [209.85.161.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D823BC157908 for <tls@ietf.org>; Sat, 6 Aug 2022 10:07:44 -0700 (PDT)
Received: by mail-oo1-f42.google.com with SMTP id j1-20020a4ab1c1000000b0043576bcb9b1so962652ooo.10 for <tls@ietf.org>; Sat, 06 Aug 2022 10:07:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6pqdh9RdHyUxAY0vnFg80LHTdU0EsBoaBr7+pupIreQ=; b=fg3E+hfZgc2GxWUuXcdoFaP+C+sOiur2uGBvaVVoiZvf1KsbJe28Xz0qciGRgyN/1n UZBdPpaWfUUNJAJ5vDR4Pw1xhtym97pvZqCF7awQKDFrB9UtVPGJLn1E+HYBDrjNeDu4 StfHoLzF2hNXTcq9rkgLNrBT8hXkioa1ghU+X82uAxOKP64CDZKooG2opb+yhRVQFdFx a6J8Pi1qVM9TGWmMnI3jLJMoR+Y4nGY9LC8IAn/OEUmyWjErYbwGwPZ6/FfWxOGC52UB j3xAs9FxykVCvdFOJ9uqE1GXyU8YaXGflsL15loP8zyiPFgNjuLGfTbd6jUk4aOv568N ECug==
X-Gm-Message-State: ACgBeo3gE/56l9ndiwBchdQa3Y5pLir61c0qeFT+baMEgMw36bf7agxQ JAn25514P3AKnwPC9L6e+IZFLwp+wXzelDOTsfxwbNH1cEs=
X-Google-Smtp-Source: AA6agR60XQR9TkEYRYhaIQpY/I8kMcLOLOSPK+e4BrrZb88Sya/HYtqoMMAiOiyp6Z6tLZe98Y/LlqbNuatLLffhob8=
X-Received: by 2002:a05:6820:54c:b0:435:a5e0:6af2 with SMTP id n12-20020a056820054c00b00435a5e06af2mr4348581ooj.6.1659805664084; Sat, 06 Aug 2022 10:07:44 -0700 (PDT)
MIME-Version: 1.0
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <8383756C-5595-4028-9E5E-8B758147ED33@ll.mit.edu> <CAMm+LwgHNL_aHqK+TbdBf=xJBPftjkXL_=isXUJB+mbiUc7_Lw@mail.gmail.com> <58778bee-ccd8-3b6b-cdf3-7392cd6f3187@riseup.net> <CAChr6SxXVzKptFzDEczOUzVf+LGSNxY=rk45DgXceg_anA_SPQ@mail.gmail.com> <20220806051541.GQ3579@akamai.com> <CAChr6Sy3vGbcDCDXWOGNwLQgwZZG_z3HTSgz54Ch2_vurF++RA@mail.gmail.com> <20220806152925.GR3579@akamai.com>
In-Reply-To: <20220806152925.GR3579@akamai.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
Date: Sat, 06 Aug 2022 13:07:33 -0400
Message-ID: <CAMm+Lwjob+UZ=s8g+_Xyu-j1eE2NJoAYwkDbV2poJzgoETccow@mail.gmail.com>
To: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>
Cc: Rob Sayre <sayrer@gmail.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000001062f05e5959f86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D59hJytqb2mzMZ_htgbuv2plMfI>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2022 17:07:45 -0000

On Sat, Aug 6, 2022 at 11:29 AM Benjamin Kaduk <bkaduk=
40akamai.com@dmarc.ietf.org> wrote:

> On Sat, Aug 06, 2022 at 04:00:59AM -0700, Rob Sayre wrote:
> > On Fri, Aug 5, 2022 at 10:15 PM Benjamin Kaduk <bkaduk@akamai.com>
> wrote:
> >
> > >
> > > It's annoying to the attacker when they have to use their expensive and
> > > finicky
> > > hardware once (or multiple times) for each individual message/exchange
> they
> > > want to break,
> > >
> >
> > Well, I can agree with the term "expensive", but I'm not sure what you
> mean
> > by "finicky". Are you saying they only work sometimes? It seems a bit
> > hand-wavy to say that.
>
> (Note: my Ph.D. is in theoretical (quantum) chemistry.)
> Quantum mechanics is inherently a matter of probabilities and potential
> outcomes.
> Current hardware relies on either being very cold, very isolated from the
> surroundings,
> or both, to avoid unwanted coupling between qbits and the outside world
> that causes
> decoherence.  Achieving the physics in a physical engineering matter is
> inherently finicky,
> though you can build error-correction and robustness on top of it that
> helps.
>

That is not the only model of quantum computing. If it was, I would be
saying this entire effort is a silly waste of time because the approach is
fundamentally unscalable. They can throw lots of gates onto a chip but the
entanglement collapses before they can be used. So the capabilities inch
forward slowly and require ever greater amounts of cash.

The trapped ion machines operate at room temperature and can be made in
regular silicon foundries. Nobody has built a complete one yet but
prototypes do exist. If someone could get a complete ten qbit machine
working, they would scale to hundreds of thousands in the production
version. It would not be a gradual process, it would be like a Manhattan
project.

Fortunately we are a long way from that happening and the prototypes are
optical systems which are limited to a second or so. The hyperfine
transition machines have no such limitation.

v2.23.0 | Report a Bug | By Email