[TLS] Re: Concerns about the current draft.
Sophie Schmieg <sschmieg@google.com> Wed, 27 August 2025 15:54 UTC
Return-Path: <sschmieg@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BA18859B6D70 for <tls@mail2.ietf.org>; Wed, 27 Aug 2025 08:54:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wc-ImWL6VaEr for <tls@mail2.ietf.org>; Wed, 27 Aug 2025 08:54:40 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 26C1259B6D59 for <tls@ietf.org>; Wed, 27 Aug 2025 08:54:40 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-55f391fa2c4so11627e87.0 for <tls@ietf.org>; Wed, 27 Aug 2025 08:54:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1756310079; x=1756914879; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pRCfrd/UfwbKSKpD2C0KjxqnmYQ1+wJ4ugckorhIGuU=; b=usrMJo+cTLTLfUZjHSVeA/QooUQ4nKiwZ9bG7xzdwBglIJKQfsnAJEh2xYAdcwWdzX LQCtIE0cQ/Bx7Uxn5t3pSGbjH/L2x7XpvPdrQZ1kxpKRA+vdjDdEcQndp41JvguK16zc Cik49lHf1/gc53i7Aa/AGWoHsfvc6aFL9ZjcmzbNVZ9x5wpT4l9b/DG3KylCJRsNaUBz 2BVjle4CQPkhk6F5q8BuUS7lFnD2LNFE8nI/jIfWsxTnhzODUySI4MSjE2GLAxzhAp0O i2jR98QLkXW3M2mH3M5USaPx923F4qVO1UU9H3Q1k+akboyjK6qk3zzp9euM+DYQX81b 0ULw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756310079; x=1756914879; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pRCfrd/UfwbKSKpD2C0KjxqnmYQ1+wJ4ugckorhIGuU=; b=dzGXLDWyCuBDzy7aKMGUfbmwmgNYb4gMKxaps/RX6fvOQF+2YiXMWWXlWqoYel6L6b H3kGP34OTfE5gNJCh9dPWZcNTxFIcvnXV9KnOTBBd8xxJP922OjoDSlrgdVg2goddkY8 /CgKPLkcJ7SEChTW0FQQeId8JK8OpNfvj5qMKIF+HbjAXagAl+ClkLqLplOUcAZXGiZU iiAyQVWkhjP1+I3z1tL0R6ciCZLo5U6bW03TYfFJpGyEnWkC0g6H9XgU2dYhbpDGJbvV BwRXzeXAdJiNsp2Hwo0Jf2vf2mSB5eD1vmmrh0bu7z7DubwpojtZKJZBCnDKzkRwz1N9 Ffjw==
X-Gm-Message-State: AOJu0Yx/MN6034SVip9Po7wLmlbdzI/EAn8MR9dTHX0fnXgCQs0KwqcT Sj0kpTshEa61MdUnZoMFsQY7gfueKZYVkZ0ZAy8vhcHQSuHi6zv6dki6Kf6xen3K6MMlDiFYvT+ VWraBSqF4SwZgrwbDUCLzOAL1pVTRMfo+AU9+7Z4O/mOS+YHDCsWlhVuHcUI=
X-Gm-Gg: ASbGnctxlj9yTuASEkIKcqZ6OxzDSQVdXiuSp7O1SiuzWUR2iYoOzOro5YuSkODpFA3 RNnYSIOv2jU2EvbHlc/rmoWuB95AQ2gUqi+e3NMWXDY8Rivy41jWVaCUb6eA97d+Iy4Gc+FZZbP 3te7jHzOmfDGF1o2JLdTAgkjjSoe9ET5Yoc623QO5Qph+UXSvoEwhdnDV2UJk+846sKfaY0P5VC TDOPgga9EcfHZI3MNsVQzZcbbsAVnrn9x3Mq7W3i4rKho63
X-Google-Smtp-Source: AGHT+IFmSxnh2RjU8wZn2ECIvY71c41qdAZ+PV1T6+xMN8LhfCC804TMbVAigAfVbNtzBEQiarTv/ynfPyE4rPMuWFk=
X-Received: by 2002:a05:6512:6419:b0:55d:9f5:8846 with SMTP id 2adb3069b0e04-55f4d2846famr639823e87.0.1756310078419; Wed, 27 Aug 2025 08:54:38 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR07MB9683AED41B66451E26CBC84AD024A@PH0PR07MB9683.namprd07.prod.outlook.com> <c703af5c-b05f-4019-a12a-9d3c64412c44@redhat.com>
In-Reply-To: <c703af5c-b05f-4019-a12a-9d3c64412c44@redhat.com>
From: Sophie Schmieg <sschmieg@google.com>
Date: Wed, 27 Aug 2025 08:54:27 -0700
X-Gm-Features: Ac12FXw_v5tlQPlAcgPKldVeTVXW2FUY-GdZ-B4WqkSzIaDAlcCYE7CA3CNLwoU
Message-ID: <CAEEbLAaJ6-hFTJQHMQ1qwWVWEFWp9hTXjZwQR4SDmRFFHbW=EA@mail.gmail.com>
To: Robert Relyea <rrelyea=40redhat.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000576410063d5ace53"
Message-ID-Hash: DEYSINZ3UERMXUH6R4YEVFTFHTKBA2TW
X-Message-ID-Hash: DEYSINZ3UERMXUH6R4YEVFTFHTKBA2TW
X-MailFrom: sschmieg@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ewWqCEqBGGwIr9yA6ahoEfOxhS0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
As Bas mentioned, there is currently no indication that Grover's algorithm can practically break AES-128 any time soon. Grover's algorithm is inherently sequential, and cannot be parallelized, making the standard approach of throwing more compute at the problem to scale up infeasible. I see no reason to reassess [1] further at this point, any follow up research I have seen has confirmed the infeasibility of Grover's in at least the medium term of several decades to centuries. Switching from AES-128 to AES-256, while not the biggest deal in software (~40% performance degradation due to the additional rounds, down to ~25% increase when measuring AES-GCM end-to-end, due to the authentication part not changing), once you have e.g. hardware dependencies, the story changes substantially, and migration can become very difficult. Combined with the fact that, to the best of my knowledge, it is also completely unnecessary, I'm not going to recommend that switch proactively, or when the costs are anything but marginal, as not wasting resources is part of my job and obligation as an engineer. There are several reasons for hybrids, and while I agree that the reason for ECC + lattice based hybrids are becoming less compelling with every day that passes in which lattices do not get broken, I see little point to an HQC+ML-KEM hybrid. My trust in lattice cryptography is very high, and the biggest risk to ML-KEM, novel discoveries in algebraic number theory, would likely have consequences for code based cryptography as well, making FrodoKEM arguably the better fallback (and hybridizing with FrodoKEM would be meaningless). Sophie [1] https://eprint.iacr.org/2017/811 On Tue, Aug 26, 2025 at 4:02 PM Robert Relyea <rrelyea= 40redhat.com@dmarc.ietf.org> wrote: > On 7/30/25 2:17 AM, ma bing wrote: > > NIST has approved HQC (Hamming Quasi-Cyclic) in addition to the > > already approved ciphers, I suggest to switch from ECC+Kyber to > > HQC+Kyber; Since ECC is vulnerable to quantum computer, using > > ECC+Kyber is likely a false positive, so I think HQC+Kyber is better. > > In conclusion, I think there are 3 concerns. > > Eric already addressed the main concern. Hybrid is to give us confidence > to deploy these new algorithms. > > The other issue is HQC is also significantly larger than ML-KEM*. Part > of what makes hybrid doable is that ECC is realtively small, so adding > it does not add significant size over ML-KEM's own keys. Performance was > such that Amazon found that they could 'just do it' and keep chugging. > That removes a significant barrier to deployment. > > The second issue is there is a lag time between 'approval' and > standards. NIST has decided to move forward with HQC as a NIST standard, > but that standard is not yet available. One it is I would expect to see > HQC-ECC hybrids out there as well, just so our infrastructure doesn't > fall over if ML-KEM becomes classically broken, but as I said, there is > no HQC standard, so > > Bob > > *I'm taking your use of Kyber to mean ML-KEM. Typically we refer to > Kyber when we are talking pre-standardized variants of the algorithm. > Using HQC would have the same issues as using Kyber (rather than > ML-KEM). It was a stop-gap until we had ML-KEM. > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com
- [TLS] Re: [EXT] Re: Concerns about the current dr… D. J. Bernstein
- [TLS] Concerns about the current draft. ma bing
- [TLS] Re: Concerns about the current draft. Eric Rescorla
- [TLS] Re: Concerns about the current draft. Bas Westerbaan
- [TLS] Re: Concerns about the current draft. D. J. Bernstein
- [TLS] Re: [EXT] Re: Concerns about the current dr… D. J. Bernstein
- [TLS] Re: [EXT] Re: Concerns about the current dr… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Concerns about the current draft. Robert Relyea
- [TLS] Re: Concerns about the current draft. Sophie Schmieg
- [TLS] Re: Concerns about the current draft. tirumal reddy
- [TLS] Re: [EXT] Re: Concerns about the current dr… John Mattsson
- [TLS] Re: [EXT] Re: Concerns about the current dr… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Concerns about the current draft. John Mattsson
- [TLS] Re: Concerns about the current draft. Sophie Schmieg
- [TLS] Re: Concerns about the current draft. Tim Hollebeek
- [TLS] Re: Concerns about the current draft. Martin Thomson
- [TLS] Re: Concerns about the current draft. David Benjamin
- [TLS] Re: Concerns about the current draft. John Mattsson