Re: [TLS] Before we PQC... Re: PQC key exchange sizes
Phillip Hallam-Baker <ietf@hallambaker.com> Sat, 06 August 2022 02:33 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 367DBC16ECF9 for <tls@ietfa.amsl.com>; Fri, 5 Aug 2022 19:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.428
X-Spam-Level:
X-Spam-Status: No, score=-1.428 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HXHZYBcXU-uG for <tls@ietfa.amsl.com>; Fri, 5 Aug 2022 19:33:13 -0700 (PDT)
Received: from mail-oo1-f49.google.com (mail-oo1-f49.google.com [209.85.161.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73EC9C157B54 for <tls@ietf.org>; Fri, 5 Aug 2022 19:33:13 -0700 (PDT)
Received: by mail-oo1-f49.google.com with SMTP id r16-20020a4abf10000000b0044100d984ddso755372oop.12 for <tls@ietf.org>; Fri, 05 Aug 2022 19:33:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z+9veytVyeuQWnRyN2Wbba6aa01rwtiENe1oK0ohRys=; b=WjtKhD+e2NVcpJmyLz9B0jQY4dz4+78/83cWLi5N9/0Pm3/5SK5DQlhFVWYlZdD0K6 xmiq/clTJ12hKgU2Ky1ojCBweIJDiourCvi5NDNQIW/iMLx30xc3U5go9v/5kiCWuowj ELnGMP60qSa2RZAhvB34N3RUGAtVVyfo/aPsMH5WqCbYMEw7RSGXieuMjmX+1gyB2cDg w6dMYSrR3hTmmPK8nQpY2AOOEkJfYRBeLUGm6BkxZxBzmfRskpRojEu2zm1iitReXJ8s /ly/yHHo+PaUBf1ht2E5ensBw59z5lWpvli67aL1wBPMi8TAcU2Mj6Paw+mMAIMvXlGX 8/Bw==
X-Gm-Message-State: ACgBeo3OTLM2vS/H9M/WsRkgejVfxNYrQlyfV862pz5bXdS94e+yndM+ ab6RnwQq3PfZ30/NAaIJeewwKxV1BTdJq9OOLh4=
X-Google-Smtp-Source: AA6agR4D55kqtxwoo0lkuk+2ykIIVcVbQET7SRL60jKBcQIQs8AVejM5s6NbQ+9nMvvoT1yN9dCazURwkLimU/olo+E=
X-Received: by 2002:a4a:be06:0:b0:435:8b69:e35b with SMTP id l6-20020a4abe06000000b004358b69e35bmr3442842oop.78.1659753192513; Fri, 05 Aug 2022 19:33:12 -0700 (PDT)
MIME-Version: 1.0
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <8383756C-5595-4028-9E5E-8B758147ED33@ll.mit.edu> <CAMm+LwgHNL_aHqK+TbdBf=xJBPftjkXL_=isXUJB+mbiUc7_Lw@mail.gmail.com> <58778bee-ccd8-3b6b-cdf3-7392cd6f3187@riseup.net>
In-Reply-To: <58778bee-ccd8-3b6b-cdf3-7392cd6f3187@riseup.net>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
Date: Fri, 05 Aug 2022 22:33:01 -0400
Message-ID: <CAMm+LwgJTuhLbfALRLi=w_Uyt5v4Ngv=C+ZhvSPqzezQcC568A@mail.gmail.com>
To: Sofía Celi <cherenkov@riseup.net>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000074654e05e589676f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YkwC7Qzmc4Cba0g3F1G8Q-1-LFM>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2022 02:33:17 -0000
On Fri, Aug 5, 2022 at 8:16 PM Sofía Celi <cherenkov@riseup.net> wrote: Thanks for looking at this. ... > Completely agree. This is also the case for DNSSEC, for example. We > don't have a proper mapping of those operational issues. We have started > research on the matter so if you are interested in contributing, let us > know. > Unless we get a scheme that allows for signatures of 200 bytes or less, we are really, really going to have to redesign the DNS protocol and DNSSEC architecture because trying to do DNSSEC with signatures that don't fit in an ethernet frame is a non-starter. The way I would do it is to use structured cryptography, that is a single signature per zone over a Merkle tree of the individual records. Pruning the digests to 256 bits presents an acceptable work factor and only costs 32.log2(n) bytes where n is the number of records in the zone. > > I am now thinking in terms of 'Post Quantum Hardened" and "Post Quantum > > Qualified". Hardening a system so it doesn't completely break under QCC > > is a practical near term goal. Getting to a fully qualified system is > > going to be a root-and-canal job. > > There is a notion of being 'quantum annoyant' to a quantum computer: > perhaps that might be an starting point for other schemes that do no > have a post-quantum counterpart as of right now. For others, a hybrid > approach should definitly be taken such that classical cryptography > still protects data. > I am using PQC to protect the data and Threshold-ECC to protect the data with separation of roles. > The term 'interactive' is used very differently in protocol design and > > cryptography. DH and ECDH are mutual key exchanges. Alice and Bob both > > receive a shared secret that both contribute to equally. Kyber is a > > unilateral key exchange, Alice encrypts to Bob's public key without > > using her key. If we want to have a mutually authenticated key exchange, > > Bob is going to have to encrypt something to Alice's public key. > > That is correct. Such is the way KEMs work. We don't have that > counterpart in post-quantum that we can attest to a high level of > security. This is not so evidently needed in TLS but it is on Signal, > OTR, and other protocols. I recently sent an email to the pqc mailing > list around the matter: > https://mailarchive.ietf.org/arch/msg/pqc/mW1r-57_OX7kAMGPef3noC4ZF_E/ While DH does in theory allow Alice and Bob to establish a shared secret directly using a mutual key agreement, that is not an approach I have ever wanted to use. It means we end up using the same primary key for our key agreement. That just feels dirty to me. I prefer to do two unilateral exchanges and concatenate the results to get the input to the KDF which is how Noise/Signal is doing things for the two party interaction case. Given the use case is human-human interaction and given all the other latency in the call setup, I have a really really hard time seeing multiple round trips for a forward secrecy rekey. Furthermore, Signal is a closed infrastructure, you can only use the Signal servers and the Signal client. So I am also having a hard time seeing how their problem is our problem or how backwards compatibility is a concern. One of my pet peeves in Signal is in fact their nanny knows best insistence on me constantly updating their client. When you said 'interactive protocol', what I thought you were saying is that Kyber requires the multiple round trips some of the early Zero Knowledge protocols required. PHB
- [TLS] PQC key exchange sizes Thom Wiggers
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Stephen Farrell
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Bas Westerbaan
- Re: [TLS] PQC key exchange sizes Rob Sayre
- Re: [TLS] PQC key exchange sizes Sofía Celi
- [TLS] Before we PQC... Re: PQC key exchange sizes Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Peter Gutmann
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Bas Westerbaan
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Robert Relyea
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Thom Wiggers