IETF Logo Mail Archive

[TLS] Re: Concerns about the current draft.

tirumal reddy <kondtir@gmail.com> Thu, 28 August 2025 05:39 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C0F2059F66F5 for <tls@mail2.ietf.org>; Wed, 27 Aug 2025 22:39:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EeXLgQ3r0FXK for <tls@mail2.ietf.org>; Wed, 27 Aug 2025 22:39:38 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A5CD559F66DE for <tls@ietf.org>; Wed, 27 Aug 2025 22:39:38 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-61cb9e039d9so1063285a12.1 for <tls@ietf.org>; Wed, 27 Aug 2025 22:39:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756359577; x=1756964377; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Uto1CR3LosQMuWU62PnpdGUj8eHVzS3IO1+v8jD1d3M=; b=CVkck2j/VP8tj70APwv+I7RBEOGAoUYj0VyoCFOgkyKpAIPpDP0DZI0NtHK4uPGkDe 4LtyZ2xMHbyTAhFWNxjPtS+K/QWkoN0wMMqpmDqpF3kVM4JQ4DnUh4B5r3Sd+fpOTrJV NemmPmLns/dz/tRPTH6ziCQrib52yHJhZYYJygBjEudKh1jxScNVpKsz6pFf6x8BIQk4 +fQp945SU4jDJos3V4pkWT0ymjvSZ7RR+r3IC+8/j8BQWvdzIhQyFuN63YD1Qx49Fpot S5fgmADFpZk80tM/ylVNGXM3eLyarG9zX+CVHz+gb2HTyrdYhxQ09HVQbk3IBP7xk3kO VN3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756359577; x=1756964377; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Uto1CR3LosQMuWU62PnpdGUj8eHVzS3IO1+v8jD1d3M=; b=F4ThwQdWNLtJlg9h3q1EPw7BqvwoemWdHqb3H24+q0ReJ4wv1y67P6wDCFqa1/BlXZ MthNsSK8vAYl1msxxB2Vddv39UM+tEJ9ugllU5uDxKv6GGrJLoZGNqMd3HKkaZkVvHa9 b9jud50VF+547qS09X/bbU85mubzi4yJJ96iYAPY3lYRiuflh4IhxyQXgYm4lzdIFAlt CevxandjxUNa2Ms9DbFqD9oXc0RvdMvpZ0EDDbT6jj0bZsJ6MPnSKFZ+xuip8rckUWdO 9Jv0zhepInw6ftLpJ7QG4k0elpvU2F77NlTPYvvyv9anKZP6rzeGjIjD9mQ7ujCaHZBt bYMw==
X-Forwarded-Encrypted: i=1; AJvYcCWakluONJQZSotf98m9wtk5ib1SiqREbG6DrTH/BOHmVVwwp9jELvEbhV+BhyzjTi2inkg=@ietf.org
X-Gm-Message-State: AOJu0YwQN3PYAxgwHlq9MgmyJDmZcgD49BAWl0/3s8cqAQSzCFn3/5sK 4jRn1hIKqbxggtsCV8XSfe9PVrgOrhZXULhAzVjvK7E3Zx36npxbT50uNtzoOp9R78SnE/ID4Ka U+kyK6NRCYSPIG5iKiRt5hrYJNQeX63U=
X-Gm-Gg: ASbGncs+fyHVOIcRwc2F04uqLGT+1RJyU+rWuqQEBNf0LnLEyBBMK9zvYFx6pyZLL1u GtUwlQtp50UwM99izzGWDl4oWOmUpLh69gi6vXn5tCP/1oJ1dPqH2ClbJH1Ohggz/5hdDKPYivx dNxFnqwOYanAmCbOUqCoKX/fG4MwvWbbWOvTddDnK61iH1TafFqsb3QvjSSrdzcmUnu5H03UTt9 ClYqXQNcB3L2UYtzmd3
X-Google-Smtp-Source: AGHT+IHrQ3dWRMxyQkl5q8iJg4UtRq5Vku6NTdDUGzs3mxWbDwmWyWaLFGPnYz7Ddp5gMxirJhhIl0OjBhdHi9qR7QI=
X-Received: by 2002:a05:6402:3552:b0:61c:5cac:2962 with SMTP id 4fb4d7f45d1cf-61c5cac2cb1mr11588326a12.0.1756359576884; Wed, 27 Aug 2025 22:39:36 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR07MB9683AED41B66451E26CBC84AD024A@PH0PR07MB9683.namprd07.prod.outlook.com> <c703af5c-b05f-4019-a12a-9d3c64412c44@redhat.com> <CAEEbLAaJ6-hFTJQHMQ1qwWVWEFWp9hTXjZwQR4SDmRFFHbW=EA@mail.gmail.com>
In-Reply-To: <CAEEbLAaJ6-hFTJQHMQ1qwWVWEFWp9hTXjZwQR4SDmRFFHbW=EA@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 28 Aug 2025 11:08:59 +0530
X-Gm-Features: Ac12FXx_WiprKEmHyewB3yBH77ogOXfHk-Dg9E_iV08Umyb6KZh03U_Vx21byIE
Message-ID: <CAFpG3geNH-4UGRr=T3ima3_1gvLCV+9j__-2sBzX5viiN9+VWA@mail.gmail.com>
To: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad9b54063d665431"
Message-ID-Hash: YWPXK7CNGVUNGN4D3Q32BJRKEKKRLETO
X-Message-ID-Hash: YWPXK7CNGVUNGN4D3Q32BJRKEKKRLETO
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Robert Relyea <rrelyea=40redhat.com@dmarc.ietf.org>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/J1_6DizxVXEmgPyOuz7Iez3eI1Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Robert,

You may want to look into
https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-14.html#section-3.1
.

Cheers,
-Tiru

On Wed, 27 Aug 2025 at 21:26, Sophie Schmieg <sschmieg=
40google.com@dmarc.ietf.org> wrote:

> As Bas mentioned, there is currently no indication that Grover's algorithm
> can practically break AES-128 any time soon. Grover's algorithm is
> inherently sequential, and cannot be parallelized, making the standard
> approach of throwing more compute at the problem to scale up infeasible. I
> see no reason to reassess [1] further at this point, any follow up research
> I have seen has confirmed the infeasibility of Grover's in at least the
> medium term of several decades to centuries.
>
> Switching from AES-128 to AES-256, while not the biggest deal in software
> (~40% performance degradation due to the additional rounds, down to ~25%
> increase when measuring AES-GCM end-to-end, due to the authentication part
> not changing), once you have e.g. hardware dependencies, the story changes
> substantially, and migration can become very difficult. Combined with the
> fact that, to the best of my knowledge, it is also completely unnecessary,
> I'm not going to recommend that switch proactively, or when the costs are
> anything but marginal, as not wasting resources is part of my job and
> obligation as an engineer.
>
> There are several reasons for hybrids, and while I agree that the reason
> for ECC + lattice based hybrids are becoming less compelling with every day
> that passes in which lattices do not get broken, I see little point to an
> HQC+ML-KEM hybrid. My trust in lattice cryptography is very high, and the
> biggest risk to ML-KEM, novel discoveries in algebraic number theory, would
> likely have consequences for code based cryptography as well, making
> FrodoKEM arguably the better fallback (and hybridizing with FrodoKEM would
> be meaningless).
>
> Sophie
>
> [1] https://eprint.iacr.org/2017/811
>
> On Tue, Aug 26, 2025 at 4:02 PM Robert Relyea <rrelyea=
> 40redhat.com@dmarc.ietf.org> wrote:
>
>> On 7/30/25 2:17 AM, ma bing wrote:
>> > NIST has approved HQC (Hamming Quasi-Cyclic) in addition to the
>> > already approved ciphers, I suggest to switch from ECC+Kyber to
>> > HQC+Kyber; Since ECC is vulnerable to quantum computer, using
>> > ECC+Kyber is likely a false positive, so I think HQC+Kyber is better.
>> > In conclusion, I think there are 3 concerns.
>>
>> Eric already addressed the main concern. Hybrid is to give us confidence
>> to deploy these new algorithms.
>>
>> The other issue is HQC is also significantly larger than ML-KEM*. Part
>> of what makes hybrid doable is that ECC is realtively small, so adding
>> it does not add significant size over ML-KEM's own keys. Performance was
>> such that Amazon found that they could 'just do it' and keep chugging.
>> That removes a significant barrier to deployment.
>>
>> The second issue is there is a lag time between 'approval' and
>> standards. NIST has decided to move forward with HQC as a NIST standard,
>> but that standard is not yet available. One it is I would expect to see
>> HQC-ECC hybrids out there as well, just so our infrastructure doesn't
>> fall over if ML-KEM becomes classically broken, but as I said, there is
>> no HQC standard, so
>>
>> Bob
>>
>> *I'm taking your use of Kyber to mean ML-KEM. Typically we refer to
>> Kyber when we are talking pre-standardized variants of the algorithm.
>> Using HQC would have the same issues as using Kyber (rather than
>> ML-KEM). It was a stop-gap until we had ML-KEM.
>>
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>>
>
>
> --
>
> Sophie Schmieg | Information Security Engineer | ISE Crypto |
> sschmieg@google.com
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status