IETF Logo Mail Archive

[TLS] Re: Concerns about the current draft.

John Mattsson <john.mattsson@ericsson.com> Fri, 29 August 2025 18:16 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3FEDD5ABB78B for <tls@mail2.ietf.org>; Fri, 29 Aug 2025 11:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sq_YLDzgAkfp for <tls@mail2.ietf.org>; Fri, 29 Aug 2025 11:16:39 -0700 (PDT)
Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11011051.outbound.protection.outlook.com [40.107.130.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 29C9E5ABB763 for <tls@ietf.org>; Fri, 29 Aug 2025 11:16:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JbAGPB2+Z0ZC0yNEeAeFQbaJVz7NygXEx1MnYu1ySaMp10zJbDOy8W15BEck8ZR0MXGp1tjPcBd7czgeAwt4p3NubhRpQd1sIpe1zZLq8G8wOayqHfT84jsMCdXiPfddnuVtuOyoboRyP2txa0kxZwm8VDVCshjZ3TJp7tUEqGfX0favReOt34WS5mLL1TI0O3bSrAM6WWQGo5kuVIL4N5JWIDqZErfYPkbUgMP0FvYeqLXRotghjOryt7xzeKcsidF7dxTumtsb4RUfaSix/UlkzUKuXOL97J32hV78dBA48xMO0+bwx+BwfJy0PnmGPadHrvTKykfDjXue5f+Kbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZRQ5TWdsn7vMveYOtCCpxhukQ3OA6jc0btIk1tqgerQ=; b=AVPa9qcfPBpAmqX2YqpDMFLXe9vin7Mo/cp+WkYGFASbvyTTtjGow40Dud38dmL3H8xXnLcQ1uDg5I1IbxVi8gGzOBjg/J715+kosMFsbZPNQiLvKbEsFTnDTCavIVskST8v0NZ9EA+BEB+6c00Dlzwoa4qR2BJFYY6r7sbGRIC97vS/o8HaBDfxfKX3Fho0RY7l075L8N0XqogyQEhS1RQnsSGv5H+4kinap7JsXAiRs9kJxPi/fbr+3vT/1mJcEEZ008f3ayf6KbKwwgQ07HkcTAont7dXPTWo3q3LzW41/n2MoCwNfynAtHbDGBGM2Fy9cVQeU43sDhZ/LaSrWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZRQ5TWdsn7vMveYOtCCpxhukQ3OA6jc0btIk1tqgerQ=; b=Y5Aog6ybmep97RjfY0Gfn+07BQ6QCsOYvhsiqxpiYCvCZTL4AEQwuDmC0U0FhiKxO7hQp2P5oY1A8reCcUB5E41zBfKXmwUpOadea4lMgrzAiP96Xs5rT1k+RJKBXhZ4RKdLZFtv3gX27TFz01Q3sstF1akBx/lsXJRfwOKRDo3JaJ95kMayFm8SotyaQprSV8e5MLndB3Zd94eL7Iz64dDTEM3nzLfkb+Dy7MYxV0xp6rrtErTVvZYaMNuPSBMTYrqplLpqzyQw/h8ZUzmmEkOHujlnsvVHCl8qGjRbUGxFYAl2A+wgUr2tUD2WB+OlWy++VQ++Gfp32nv4JqJFbA==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by VI1PR0701MB6832.eurprd07.prod.outlook.com (2603:10a6:800:17d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9052.21; Fri, 29 Aug 2025 18:16:36 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%6]) with mapi id 15.20.9073.021; Fri, 29 Aug 2025 18:16:36 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: Concerns about the current draft.
Thread-Index: AQHcATD03sWs2BJdtE+pJgVO7rWscrR1uEGAgAEbGICAA0PugIAAANKV
Date: Fri, 29 Aug 2025 18:16:36 +0000
Message-ID: <GVXPR07MB9678CF53A08828BFB66A4600893AA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAEEbLAaJ6-hFTJQHMQ1qwWVWEFWp9hTXjZwQR4SDmRFFHbW=EA@mail.gmail.com> <20250829174621.213770.qmail@cr.yp.to>
In-Reply-To: <20250829174621.213770.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|VI1PR0701MB6832:EE_
x-ms-office365-filtering-correlation-id: e2b28cc3-f49f-4b36-6bd8-08dde72830f9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|4022899009|376014|7053199007|38070700018|8096899003|13003099007;
x-microsoft-antispam-message-info: 2vlvpRA0V5pyNFCp+V/z+FBmKNzFn2D8/SIroZVzRR/QQq8oILC/uAXTJnDU+1FUX1Roljkqspu2RpZ5stq9BMdNk3D26IsQ5hu5DReyc/bBT4tCMyKW8Xi2xcyDwVlyVZRLBwlMzsYutW5u3+CfZkBWhn12n6QoeZHmJHsBT9MDakiukduPnr0suIfi59RDZJgqpbCpP3WP/0Np5nR0Rl8GhP9/Pl7MmvdVu6rysg3fbOmHSirTilk0rRfZY7jW1vKcoaKKnv2DtTTPEOvGXo5VkqPwvshoZ/nJH5jmdE6juZiC+m69RUX5J6MEEpSOltGLymH4QecHq0ovJOKT/c7Fq/GqUfq7ehPGSFFZyTcAlQ7zYXhpVA+XYz2m26c7G6/tZx7jr8nC1ljkuQkoAnRnmduZfAjh3nTjHTi1A5Pi+o2FrMn//fpT7dMrLRZz2YwATYn2vPBfAMQB7dMtiobuFKeBj9Ly5Rg5r8NsU+DHBjCAIurCFhmXxm6zhfPrXW+nB9doSnvMDlVC0wEN+oAl3NQH/+g8ZPzr2MtkSgI2VJnO1auJR8RrpeNLwlxtMJ9F38ni70hjMECzCV+i1+/ci1zwGrRhermfVn50a3PbiO48EoeXHy4/0fFLeNf+ytKksoTCJOcYx74JnNOlDxRhOm5Sb5PsJjYiBKoMlgVW01b5oVM0tNdc/ZHpTbu2HJSauWYaf88jOChcjpZroU0tbDf+bzTZ6mbH9//XeesLGSIWYnsLKO0la+A+Obzk1LetBgu75nMqVli+4T+mwBrPDjBbXD9whu1Z5uDXT4WPH734CgRldiRCiPcvEa/FSQ+HrKbNkxoLpSNdHF3gGh27zNOM7JmklzM0SnKFzuqmbOL6tpnbRE2x7nniyEB7GbPQIEhsrXd3Rnmdvu1UZoKjQZN13Wp1YqkJKmsUm1rCB32Hm+7eiYs8IMs3cMGkK8Q7lU6YQW8juyiHwOA3hPos80yoKnG/Z5uWX/7w+sIB6OJhZejoxBnGTBZbVd/QL0IPXa2O5Q/KaYtjaTISLEajTarWKsU2HyKVjsoucifJv5t26HbwyfntslULo+siRe2j637jiHGIXSOxgd3W4P4Fx7NDtDQ4o3yZ+/Jru1CxrUfqzADXugi9NetlCCqw+jQ1H9C/U4jifuS4z0/FO8C6qpbMqDoaMaWseXO2d+/fHG2qJRqdLOzxGVpsnJBE5Tu0ftM2XQhVV0bmhmYMIykciis2p4NbCv2kZoHRNad/0P+uLIiopCTjMVBmrhevQhlZ5SayK2k32pib6Q0jybkrjJ9ate0shCvp2wgys/UdbeqBEqljMJgK/KSrdgwuB0Rjf8L2T84evN5pKKowp/iF43rNVCeyDzuRR6zq5jDikGrsxll03ego2YBLs9eIVA9HuxiyL5LVkdIGIjcnEC9ZJwZauaQZMhfFZC0rdgk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(4022899009)(376014)(7053199007)(38070700018)(8096899003)(13003099007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mnn8rBNCJ2D1HImmidjCKbSBL7qSM/ipzX+1vamTxbN+liSI+LjYrD8IMt5+qgecsaiX5OxVsbD4R7d0giq8X9AZ0UI1HAv9YtqlOw6RJukRDNM2PY7nqOXlXzr9+rY92KcsDozQWwL456IfcvLLvgSw4k7sxFlCC+EGZPjr3EzvJsQGZq7ZtTD1ke1gRKUtBrYnoZlL5fqTNbCeO2dheUo5diXuHP/SiYb9w8wsSmdnqueH6H8yU/oEdyJJMIpRGesupd+SI2wGHyjqSAIiDjW1z61J2JiEyJxAlmZHpoYN4Bn1R5kbacI+7OlCaE9tAjiz+1d0StS/lSgUtq1K+4cMowQtHj+l7+l/sKXC6BLjASyW+Ep0ISQgEGzIO4uUXtMnrh6pBonGkIl51i7KnuDHXGfK6QZO7AVvhsBSPGZVilzUWf1/BaulDujKVKNFjA2a9AceNb2r5AQcFns7wjRFJxWZ8BVQ1p3VgDjfpmQ7X9stLSxGoW6QSoRv0LMMufJAUwYOwzefkbu7+sTiYczJg+5OQjGnHi6UZO6IiOsw0tN+L9+vHx4bN2oeFIc5kqNbtZXwEgEDjhQ2Srzg/5IbjNZGsGCSACw8LIJmGFE8VfszGeVm4loWkKXb35CDvHKWqkjqVTM+5TC1faZxN6BJdZTGpENKE5KbxDnuYlBdOX9/J91LPo9V6Ec9mBxx8/NFpuPDKTT/1O440DcRwfbpkxw/COAVM12ZGm2qYNQ/KMKkQGZLsTCjWpJUvOoPEnnHP3TS6+rHFZMRK4+pPR4HXQ1+eTmUgw8+I6MotOva01zpgi9FT1HzrsAgpyyHC2ZyufhELfg4KY7ELB82Ng8hAfQnh2EDq30CDtKFSfmpDriaql2TeUMgUqRP0IDmdrlmIFiQIaRcfKj4pgRcgIKGWJljzNRqbtXbBtIwUyKIbrgwg3FFA8BKVjVfIE7s6Rz+brzvJC18wOc85h9PLbYMee33NhWgWz3zCukMFK6cSNbN0XFbgfpU06PvWLbfLw8xKGbSCs/uR3oazmsWwUbPaIpmidnaxvSBW7bamfa5cSqc+Pcgpzcccq97h3h5NS/zGZWDOODjifP5AxjVk/fTrTsk0X5ApHYG0BcSn8skS9HAdgwWz1ViBGxFOYN2P9MVnFsSzs2Huk7ErOkZxPbwxc/MdqUxU5BSu9Bd7YPVmdBixacbUqdKt5CZ4hnhx9l49Dq8EmyPt5gdM50/9iPpRjt35m2RLppFySEqcxef7+3YKRG8o/PoMQJWob7jcnlWaRMIGfTPXv9Lee8GUx6cU9mw4vpvnpQK2pKNDVoT3wX4DmwHU9lFIURUxZ9+MzzB9u9WukHR0z4I5PwfRXKq1KQb2CUD4T3NrRHQ1WDMP+LaA0wYW6IWC/4/dSNpqKFiEjeVYv4hVfwZaF+eAvONqFL33gQ288I01if/XwA5QYbyDruyCw/Ij6bgniv4+syjU1snWK1tsjfSJU9IbsOkL2mL5tmn+jU/Y9KadGbMNpWMG+l8jIrN+oZPe32rY9lcnVCLkJwIOXTEqmFMlay8x5EYMt46IW8IPJZmicrGJipn4R58TZYvogMjagzD4e812L/rF96F3B39Uf+Tf/Fepv3pk9RBI/akE7ca8No=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678CF53A08828BFB66A4600893AAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e2b28cc3-f49f-4b36-6bd8-08dde72830f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2025 18:16:36.2774 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 90C3rwuCqdahe6g3Y78PY/j//nqboLK16/+/sl6yPZPg02llIBBdUl8hKFCUj63eb96NaUYmqAduh2ctkmaPO++fTD4OXvJF0bzI751W3HQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB6832
Message-ID-Hash: N2AXRDV5VKJRH45UA7VH2GYVOQE7Z6EQ
X-Message-ID-Hash: N2AXRDV5VKJRH45UA7VH2GYVOQE7Z6EQ
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FcYKmu_dwYc3-254nAEt9cdF_Ro>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Sophie Schmieg wrote:
> As Bas mentioned, there is currently no indication that Grover's algorithm can practically break AES-128 any time soon.
Completely agree.

>Grover's algorithm is inherently sequential, and cannot be parallelized,
Cannot be _effectively_ parallelized would be a more theoretically correct statement. But practically, Grover’s algorithm will never be used for breaking AES-128. Quantum computers will also remain much slower and much more expensive than classical computers. Anybody claiming Grover's algorithm is a threat to any cryptography should provide detailed calculation of the cost, size, and time. With realistic assumptions you end up with result like “a huge cluster of one billion CRQCs (according to one estimate costing one billion USD each) would take a million years of uninterrupted calculation to find a single AES-128 key” or “require qubits covering the surface area of the Moon”.

https://datatracker.ietf.org/liaison/1942/
https://www.youtube.com/watch?v=eB4po9Br1YY&t=3227s

John

From: D. J. Bernstein <djb@cr.yp.to>
Date: Friday, 29 August 2025 at 19:47
To: tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: Concerns about the current draft.
Sophie Schmieg writes:
> Grover's algorithm is inherently sequential, and cannot be
> parallelized, making the standard approach of throwing more compute at
> the problem to scale up infeasible.

One can split the search space across many parallel quantum processors
and run a smaller Grover search on each part of the space, as noted in,
e.g., https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Farxiv.org%2Fabs%2Fquant-ph%2F0309123&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Ce91ec897b40744e464bc08dde72429dd%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638920864700657440%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=haVw1vVYALl5qAbq7VJPRciy2fAjPgrA0NEuAVbxyiY%3D&reserved=0<https://arxiv.org/abs/quant-ph/0309123> from Grover and Rudolph.

To some extent it's possible to combine this with multi-target attacks.
See https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcr.yp.to%2Fpapers.html%23groverrho&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Ce91ec897b40744e464bc08dde72429dd%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638920864700717818%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=CK8nBl6TfEM5LwY%2Fznl7KgJjT0x4dNiUG4IeSL7xf4s%3D&reserved=0<https://cr.yp.to/papers.html#groverrho>.

Even without quantum computers, 2^40-target attacks against AES-128 are
already a feasible computation today for large-scale attackers. One can
try to stop these attacks by having every AES-128 application randomize
every input block, but we keep seeing people screw this up. This is the
sort of thing that _probably_ ends up working for TLS, but it's fragile,
and the broader habit of tolerating this sort of fragility is certainly
a big factor in the problems that we _have_ seen in TLS.

I agree that the Grover speedup compared to non-quantum searches comes
from the number of serial iterations carried out on each processor, and
meanwhile this has to fight against the quantum-computation overhead---
which could end up as 2^30 or 2^40; we don't know yet. But this doesn't
makes AES-128 a safe option: on the contrary, tolerating AES-128 will
end up compromising the confidentiality of some user data.

> confirmed the infeasibility of Grover's in at least the
> medium term of several decades to centuries

I see no basis for this claim.

> the reason for ECC + lattice based hybrids are becoming less
> compelling with every day that passes in which lattices do not get
> broken

One of the talks at Crypto 2025 last week said that none of the Kyber
parameters meet their claimed security levels.

---D. J. Bernstein

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.36.0 | Report a Bug | By Email | System Status