Re: [TLS] PQC key exchange sizes

["Kampanakis, Panos" <kpanos@amazon.com>]

Hi Martin,

> If we wanted a PQ HPKE (or a Hybrid KEM) then ECH would blow out the size so that we would end up with multiple packets for the CH.  That would be basically unworkable from a performance perspective.

Why are 2-3 packet CHs unworkable? Do you have data to share? 2-3 packets mean higher loss probability, OK. But for a 5% per packet loss probability, a 2 and 3 packet CH would have  9.5% and 14% probability of losing at least one packet which is worse, but imo not that worse.

Note that many academic publications have tested PQ KEMs that blow the CH to 2-3 packets and find performance does not lack that much. OK these papers did not test the "tails", but I am curious if you have any data to substantiate the claim. 




-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Martin Thomson
Sent: Tuesday, July 26, 2022 11:31 AM
To: tls@ietf.org
Subject: RE: [EXTERNAL][TLS] PQC key exchange sizes

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



On Tue, Jul 26, 2022, at 11:21, Stephen Farrell wrote:
> Be interested in how that'd change the CH if ECH is used too.
> I guess the answer mightn't make us happy;-)

PQ HPKE would not fit, but the Kyber-512 numbers mean that we should be OK for ECH if we stuck with classical security.  For obvious reasons, that might not be OK though.

If we wanted a PQ HPKE (or a Hybrid KEM) then ECH would blow out the size so that we would end up with multiple packets for the CH.  That would be basically unworkable from a performance perspective.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls