IETF Logo Mail Archive

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 07 August 2022 17:31 UTC

Return-Path: <prvs=62180832df=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A867C14CF14 for <tls@ietfa.amsl.com>; Sun, 7 Aug 2022 10:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QPkD1W9612X0 for <tls@ietfa.amsl.com>; Sun, 7 Aug 2022 10:31:44 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DFDAC14F733 for <tls@ietf.org>; Sun, 7 Aug 2022 10:31:43 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 277HVWx7192631 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sun, 7 Aug 2022 13:31:32 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=tar2OXS5HScyul7b5wTTKGT9q9jZubuKhUNPRqVybAFXGlnRCVLAzps6VbpDbQHom34Y8xipcv1QNs8rPyqFtENXxL0C7niaBQBT/vPPEqaD1yzMu7yeZarqCbngyIdh1fSj1WVxpYHbnzBGcwUU/7Pwya4gjnrWaR1sgANfnAs2hCPkvvqa+z/LIlFjgdQWwV/r4lkTDb0anvWJQYRorRnRo9HeDQy7rDoXloRuEAUKN7cjqjWIkRsZnHk7kue1NRcDhDMGNoqrxw7WSXQ7/s8Xak+fxy+sTSM9tPYfvMPSgynlgSwoaGP7175fdxlG8SMwA0pbZJ9Nwo0OY/9AeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2+1C7IoaeDVA5YijvRbn2z0DJooh7wFbjhCfbOWIWTw=; b=UyPm/0KsYmrX0axLR88F4v4awv8mXTlRxgpapv+bPcPL6O5RYT252IhZUO5hNjyrqkBGVbzX8PPD7cHwcWwKtpUmxHnDSsb+IRkkAS2HI4qw+zI5B6A6xe39SC9DD7V0TbEWR6WT45HiALe7UIm/8HMhl12a1MSed9qVWvbRq8YY4Qn2x+O9HlQNLLiYryFFBkXYUSOiSF5FzC+Wlr7avAiuXdI8Mq8lKlP6Ntluxd7bTbjceKRgrUYpwSakfReNIrStnv51Sx4v7KGfLKAPFgt+Wga0dkHwADjAhqiV6SyuIrTOcRPByeKqgDQ2yY5XLOeRnmWtmPpBMimlU76V0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Phillip Hallam-Baker <ietf@hallambaker.com>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Before we PQC... Re: PQC key exchange sizes
Thread-Index: AQHYqRUVSh5j4YX2pEOdnPkzn4LpAK2hAS+AgAAhngCAADIuAIAAYHmAgABkTACAAPl4gIAAmbgA///E8YA=
Date: Sun, 07 Aug 2022 17:31:39 +0000
Message-ID: <795BED30-B499-4E64-915F-4317C629E908@ll.mit.edu>
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <8383756C-5595-4028-9E5E-8B758147ED33@ll.mit.edu> <CAMm+LwgHNL_aHqK+TbdBf=xJBPftjkXL_=isXUJB+mbiUc7_Lw@mail.gmail.com> <58778bee-ccd8-3b6b-cdf3-7392cd6f3187@riseup.net> <CAChr6SxXVzKptFzDEczOUzVf+LGSNxY=rk45DgXceg_anA_SPQ@mail.gmail.com> <20220806051541.GQ3579@akamai.com> <CAChr6Sy3vGbcDCDXWOGNwLQgwZZG_z3HTSgz54Ch2_vurF++RA@mail.gmail.com> <CAMm+Lwj19zmbPo+53Zk8m3AOWPGF8mhyB9SPTVP7mP0DsWpPzQ@mail.gmail.com> <SY4PR01MB62514622B4DE2AF47F1B1DD2EE609@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAMm+LwhdxdWJsqCW295Byu1OFDqbTnJR91MFdBHAY6tkk59Jag@mail.gmail.com>
In-Reply-To: <CAMm+LwhdxdWJsqCW295Byu1OFDqbTnJR91MFdBHAY6tkk59Jag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2806e517-6a2c-4bcf-e5ab-08da789aafde
x-ms-traffictypediagnostic: BN0P110MB1768:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3XX2FrN898pR3VOfI37b6vQY096KUuVsciUE1TbUceYUja/b9kxo7S69b3WRQvXSBuPXlHbOGUNWgwBrC8FjPFq8etHxD6nkrEeOSXNO0b+dvh2uW8l57v17lPPi6nreflUrkCFanaZrEI/GwFwyb0uY0t6CcwmhibEghiSbCa6BNaM9/+bcJix10sJcO9gYdSrxfwEyXWpftQ85z8VxS4JlXpQ/6xtXy/q4s4URjdk/92GvWPx+59SVU3gnz1zUPnpOKHTZjHykme8CJBXt8B5kaBrViy9oV7WGtOiCi5PGQ4JMKIoD63Wwb1cLZYbpQPeYk2HusODOdek7lRRHSC68Lrkv8wnCKzmiR8nBAOvNf6endKAyvQjBHa3JbILLwl62zgcqKZVnXuoqHS5zo0P4rPnagFnhZ3qn2YEN6EkaxE78PsZRFDKrPNsnKddIScVIhCDMzm4cQFLL3szBg5E7HgNXmWfqTFMh6oXCvR68QRaInmBXDeH8aku4PCiYXRS+jRcMUYN8wf7LBPbNNXBsDPFxIbjCJqw97CuVKdJ4T+yzc7NYUl1edGTWg8WaPm3RSHpJxsbZmRkcf3ZfQnIJUQ1F0vtHeHFa3SP0Az/54irphntrn6l62aoiM/aW1bKNg6SBTl2k7ettOob0TPsCx+zFe/cWZOYF2ze9SC78YI2557cYop2pgWLELD9zrJMtXD1QHwf8bh+gxdMI2xPX9Q/S/emaC0NFsaixmbEqQOuRUvyg/fPDYyN6xJcgYIyiqi1C6Ho1+6Z1SUgwd3ll1cqwGnA+mcWmXkcqkYiWVZDeoDRylOYfO7vxuYGBGQlgQf109fay8ZFcdAtgYfDzGNRECTnlnxzqeDA55sg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(38100700002)(122000001)(99936003)(6916009)(8936002)(5660300002)(86362001)(76116006)(66946007)(66556008)(66476007)(66446008)(64756008)(8676002)(38070700005)(4326008)(2616005)(6506007)(75432002)(26005)(6512007)(83380400001)(186003)(71200400001)(498600001)(6486002)(33656002)(2906002)(79850200001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HV17xakjSUTbEIVGQVkzgnYBpGlFxA1bNLGTcfZkj/O/lOJu09ZAtNyHjtB8PbEbA5odMeQwQ4f0YiB7Efdxh/ywJGGOTyggk8iacsjZiUCqdhNEkYFYgOLwp13pnRuFeWpZ8CoRB7bpaOwjOkJRJlqfj9AY6wn2ubNn2GLTsf2nzK4l4Q/h0azArz8XArRnXT7amUufsnES2RSPJBrRv5sFfUrx1OP10jAh3G+dO5xT38Xqk0d78NeGdlz1MfG9gGKviz26v/7KlLjnLCfTC+mClvMy76dNusRujyns6g8TiIM1gw1Mo0NSzoelC3+p1oZepAasT3kJSnrJYNQ1Fa8xstccUghP2ImKxqW+Q1FMoyzqw6ks5JnClMHS35dAiz2x2c6uIBT0mRgxJinUEPMIMHVJUjuTyRSCieV852BTW0J4B5ICQBrtCokBR5ak7sN+sv4BnnbBuLKvw1G4Ln1iYEw8mbNDi6Opm1xu2XyD7ssm3DYFl29YTyOraD5mOqNsBShCa/CbVK7Xf2KQOIICPnlu4+yHzQp5NRbW0NTTp3NKojrGkJ+TCZnYsoxPty7OQV62XVS2mweiJa/Oj0GZkKl/m3Wrmc7jhCc2XkY+5epWfv1cWbC8EtvZkltMpbxeiu6ppcPQPqjngNsuHE8mQnG+gH0fGEZfTdK5Ea5Umrnn6Pqrpxt94wnCh4PqaiIu5LRSYovkplvpN0BaDoNgwYtleJ3qR35qGrp3op8sa+WsCurVO7dRzC2JpCTKRpNH84veqHtOAS59kmdRuVp198hkZycr8Nv9Q/OxDXTPJCOsKMynaitbK1UFRNhZqOZ2Dd2+FjhcM0Xyk5JcXeDDh/7byak2yKR1wyokZbWN53mVzbfoOKBnxsKjk90Z7W1Tt7VDIFL1pFsy1MsIXJbLJT55+c/g5vJFSD5ZrAMD89tgx3oaU6GnNSkoFcXOQbIWGIgY73lX2gFIAs/F+RaKnm6MwUL4HmyFch+74PEF4SLN5e/Y3ciW1y2JE36aWP1uHgK4RzHxddeYtlpLd4FJiNE75o9OD6XHQVIfaXKbtzAtn+Dcr9nQ6csoz15qmdwop73IO1alfK67uPVNdxfJ7Noy7SRRt9hqP2uF/LCueLy/mLHJUcQuEE8hFkeZAVer8phVevlFWvr4ZdgIsXNn3lrCl6B/3AiIAb/7Fuas4ajhtxrNJaYQjPIT9IlAVOAtYX2XFMeU2D1AF8ItTGI4rBpnh0Ors86dw65W4HSH0Fs92tyzFTLmuapG12qRB8wDBOeSCRk8lDGTzzwO8CJp4o4S5uSULBME+P34Buwl+dXAcPZHJv69LNAg5zfD8BTtWU9Kb5cDjS8ab5xn5GsUocSKXENTTW7W33KpX8OV4h7RCeHUCPp9qJN2/EXpoHac++r485maKzcRkur7pX9UvoQrark2mGkVvnaN6LWuVYXtPcEXHV/Me6JuIzH4ElbAjjI8d+/PNWZlKBXHJgN6WSimdMSVyCUdVQ6vGAQ=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3742723899_2836444570"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2806e517-6a2c-4bcf-e5ab-08da789aafde
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2022 17:31:39.6795 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1768
X-Proofpoint-GUID: yxtb3Sy-pmuCrRWOzAfAuNBm_SnxnDff
X-Proofpoint-ORIG-GUID: yxtb3Sy-pmuCrRWOzAfAuNBm_SnxnDff
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-07_10,2022-08-05_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=994 suspectscore=0 adultscore=0 mlxscore=0 bulkscore=0 spamscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2208070094
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KOZroeUTSlM4__3OZ3i8o6oTcQ4>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2022 17:31:45 -0000

> > I thought a Quantum Annoyance was someone who keeps banging on about imaginary
> > attacks that don't exist as a means of avoiding having to deal with actual
> > attacks that have been happening for years without being addressed.
>
> That is a little unfair but only a little.

I don't think Quantum "Annoyance" makes any sense at all. It's only annoying to implementers.

> What bothers me is that TLS is not a toy, it is the primary security control
> used in most of the world's critical infrastructure. That is why
> Quantum Cryptanalysis has to be taken seriously.

I concur.

> But so does the fact that Rainbow fell to an attack discovered during the competition.

That was the point of the competition, n'est 'est pas?

> This is not mature crypto, it is not ready for prime time as a sole control.

I think you're throwing everything into one pile, mixing apples, oranges, etc.

How long till a crypto algorithm is considered "mature"? Is ECC "mature"? What about NTRU?

> I have seen references to a 'NIST' slide insisting that we should not use hybrid schemes
> and I completely disagree with them.

I appreciate your point, and happen to disagree with it. SIKE failed - and so did many other PQ and Classic algorithms. So...? Can you *guarantee* that ECC (or RSA) won't fall to a brand-new LoW attack tomorrow, or
in two years? You'd say "it's not likely"? Sure, but IMHO it's comparably unlikely for NTRU or Kyber to fall
in a similar way.

> KGB doctrine was always that every communication be secured by two independent technologies
> using separate principles..

I'm sorry to disappoint you, but the above is simply untrue.

> First, do no harm: At this point it is very clear that the risk of a 
> Laptop on a Weekend breaking Kyber is rather higher than anyone building
> a QCC capable computer in the next decade.

Probably. Otherwise, no comment.

> So, what is not going to happen is a system in which a break of Kyber results in a break of TLS. 

I daresay, nothing - because, based on the available cryptanalytic results, I don't expect Kyber to break, at least at NIST Sec Level 5 (and I'm not interested in any other level).

> Critical infrastructure demands defense in depth. The lack of binding between the
> ephemeral and the initial exchanges was always a design blunder in TLS.

Yes, absolutely.

> Using an ephemeral should never weaken the security.

Again, I concur.

> Incidentally, this particular design blunder is one of the reasons
> I am skeptical of security proofs using formal methods.

"Look at the formal proofs, but trust cryptanalysis". I could sign under this statement.

v2.23.0 | Report a Bug | By Email