IETF Logo Mail Archive

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 09 August 2022 21:06 UTC

Return-Path: <prvs=622043ebde=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6108BC157903 for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 14:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qz9vihmGRJN for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 14:06:43 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 702D5C14CF0E for <tls@ietf.org>; Tue, 9 Aug 2022 14:06:42 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX2.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 279L6YjB072810 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 9 Aug 2022 17:06:34 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=U5nbLUzj5uDv0HG7qV3j3ufkz6jXM5LevF0PLryfgFLkvchPRAR3Eppipj9mnXdQ7CHAs1jVPmzgWimbtrmgDHHmAaz75SnOei3k6t2HXkY6UYZMOtBCya3sLCDnKYl2Yuy1Fl5C9F1GxaJDn2kfv+TaltDl4GA32kXpKopHe3y5oosPcr/ebtuzEo3KGYMf1VdVdzyLI/4DY9GiN/443ulc/zm6nc/9Vy2W+K+DpahNUyjSHPs9IJkgJZfRDtI9saTtW2iifY+gg8osojJMTT8emu6M4DhQj1pxsnAFI5Qb3BeKph/B0whBSeqxUWsA6is8Wx29mIim9sbocf73fA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5Uiw/nfczOYCIlAhIHVTBXEnST/nil2/LMAPW6hZjCE=; b=Gc/SM043Vqy5dBIhQru6U+mU6msSsRNEE7Ol/zBrbVUb7FMu8q+td6LghTTLXhIoxkYYRadJPOYrvPwY0MX0fY1+EvPv4Nnn1DyvCZakSO/0Dcm6o55M+oL4QikjlPZJCBAjaG/Tt0jpVT8zyoUc4snvC6rSCLEjoD2X/mib7+d9kjmLAWgZG4YetP4YKpj0GhwVEUIgkgKXnl/ZTdEe3bX/kI2/pGRo4yoy89W77FhyibASzPJcCGlo5uwdwMFWrZP2dl8AcW5IMRI7lQoQEYragaVLyE4TFHwd1ATkGQ1ZVcezPTIG7NxR4fVip7+mN9RPN9D8CIPm3gzmHIfe5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Robert Relyea <rrelyea@redhat.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Before we PQC... Re: PQC key exchange sizes
Thread-Index: AQHYqbRV8WtcXfN6ekOxwqR4EDHSwq2iJ3GAgAANMICABN02AIAAAosA
Date: Tue, 09 Aug 2022 21:06:40 +0000
Message-ID: <552FF1D9-A4F0-4C35-9C65-A6F587804BD2@ll.mit.edu>
References: <2bcd5c96-4595-fbf6-5648-4ec27753ca45@redhat.com>
In-Reply-To: <2bcd5c96-4595-fbf6-5648-4ec27753ca45@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c14157c-bf0d-489e-763b-08da7a4b0deb
x-ms-traffictypediagnostic: BN0P110MB1595:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TrEjyKEA4SDq1Aiz6JB/+FxDhUdCz8AYcUHepV95KTix1btBlYpynYxPXmiFV71k58zHBPsB2L/hu+OSAmwDdMqehUYRrFoWpJU5rM5j92wckRxtYzopDmPzQM5TRcvnLjo66KQIl644zcV1jBbXMlo59dkMNdHbFKi8H1B9xoxdX90jSc/jbAazKq9w3QJ6qUgb/oPPYn4jRpHLnqzSJdCa07PRSkI9Ke4yXFGh+ic6Uwz4kwORNW324iAbFdwdjn+QE1STcl1+zUwy+c141cVWtH13YmUZ/aYp+RoelRvSk4zZBhQxLG0Q456DmocXToBhlQnzLR/m8cBNg4BlYcqHBjhkncw1OZ9BMYs/4+EyNoNeUY1RRVZhcJx0bHOnwAp6sG6UNLOF7IUweTONIkdOt9t58iFUlcHGsH1Lxf/DSlfGs3rn3D8wXpmwz1uP2gqzwfnAIzxdwVicBF1hg21te0jcmcjud3u2Qj7g3ahnI5nod2hdgxnHTICtOr7Z3QW0qUjbDoAnK57CGB7Y+SaEU6H3elGo719OI7QfW2I3Kxak4yQO01q7wrF4qP4YNziUp4CmGwObS5/x0w4ltHvDYZdJN478MCiyOEASoNmGkj/3lknSXAe+NAqXOJDKwYJVqnQ4Gi+IGJ1HB64tI/c/P5C+FCtY3Hlm9K5YEY0NnA2QhkcScW1sj+73PAJidqU6xsGATW5Ez6OEqwgkkAPVKhWoCpMO6SdZl6O8tJOtpj0M1iyFMrb9TR28GENsAWCMYWJUYRgXZUrVrKHqUg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(498600001)(6486002)(966005)(99936003)(71200400001)(86362001)(38070700005)(33656002)(166002)(6512007)(6506007)(53546011)(2616005)(186003)(83380400001)(75432002)(76116006)(4326008)(64756008)(66446008)(8676002)(66556008)(5660300002)(66476007)(6916009)(66946007)(122000001)(2906002)(8936002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TrvkKzw7ivOgOAAb9bmvCXGrlcUFcEHf6XA845NcaNK+u6UAsVdl6BPYIdHsCGjR75kIjGVtVYIj62Qf0fscGapgpIwnBRxsvAe2p5pvlB9IuTrmAaQkkq8pqjzglN9DIeZ6AIgdPHJBaTR3cEHJbseG3lg1Z0enAl8KUu+lTGQovzYspnJhRmVOj9BchBo6o+1WBRWxzv0DgE8NiYdSGOIS/794IMUpvne/qqvKhYf0JOEC8LOJkOO5MiGBbsQRkr8SjH7WFd8Yr0GCf0NAvQzVZ9wxc76/tmR+URR0AY1Wk+/EP3udLXaUM0lblMSn
Content-Type: multipart/signed; boundary="Apple-Mail-2039CEDB-B7C4-4BC7-B7AB-BF6BB6CCD203"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c14157c-bf0d-489e-763b-08da7a4b0deb
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2022 21:06:40.0548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1595
X-Proofpoint-ORIG-GUID: V4WcP1pkHZpslKpDP9_2WQSn500WR92j
X-Proofpoint-GUID: V4WcP1pkHZpslKpDP9_2WQSn500WR92j
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-09_05,2022-08-09_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208090078
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OeLvc0EK1opeG_wHAhqXIdhv02k>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 21:06:47 -0000

Robert,

I can’t agree more. 

Except: Structured Lattices indeed have been around not as long as, e.g., RSA or ECC - but for how long have RSA or ECC have been around Bauer they were included in cryptographic protocols? Without Hybrid?

Thanks!

Regards,
Uri

> On Aug 9, 2022, at 16:58, Robert Relyea <rrelyea@redhat.com> wrote:
> 
> 
> On 8/6/22 11:40 AM, Phillip Hallam-Baker wrote:
>> +1
>> 
>> Anything the WG does has to be proof against Quantum Cryptanalysis and LoW (Laptops on Weekends). The fact that the broken algorithms did not get picked does not change the fact that they made it to the third round.
> Lumping all the algorithms together is just a strawman. Yes two algorithms made it to the 3rd and were broken. The reason Rainbow wasn't picked was because it was broken before the end of the 3rd round. Multivarient equations sounded good at the beginning, but all forms and uses of multivarient have been broken.
> 
> Sike was in the 3rd round as an alternate. It was an alternate precisely because the idea had the least time in which people work pushing on it. I was never going to be picked as the final in this round. The algorithms in the alternate list are the precisely because they are interesting, but not proven.
> 
> Structured Lattice is in between. It's been around a lot longer then Multivarient or SIKE, but not as long as ECC, RSA or classic Code Based algorithms. It's good to be skeptical, but it's also time to start getting experience with it.
> 
>>> 
>>> 
>>> 
>>> 
>>> On Sat, Aug 6, 2022 at 1:53 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>>> 
>>>> 
>>>> On 06/08/2022 17:47, Phillip Hallam-Baker wrote:
>>>> > Are you proposing pure Kyber or a hybrid though?
>>>> 
>>>> I've not heard anyone suggest securing an IETF protocol
>>>> only via PQC algs. It'd be incredibly dim to make that
>>>> suggestion IMO, esp now that two of the 3rd round entries
>>>> have been busted. So I'm not worried that we'd even come
>>>> close to landing there for TLS.
>> 
>> hybrid is where we should be now. We should have some confidence in Kyber, but we have a lot of confidence in RSA and ECC.
>> 
>> The issue of Kyber isn't that 2 3rd round entries were busted. The worry is we are still learning about the potential gotcha's of  structured lattice. (You thought side channel attacks on RSA were bad, what until you  have to implement a secure lattice cypher).
>> 
>> bob
>> 
>>> S.
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email