Re: [TLS] Before we PQC... Re: PQC key exchange sizes
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 07 August 2022 06:58 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C065C13CCC4 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2022 23:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRDT3DKEwIr2 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2022 23:58:43 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C5FC15C539 for <tls@ietf.org>; Sat, 6 Aug 2022 23:58:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id EAC9A67E7A for <tls@ietf.org>; Sun, 7 Aug 2022 09:58:39 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 2UItk7TGSpcA for <tls@ietf.org>; Sun, 7 Aug 2022 09:58:39 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 9BE9D2320 for <tls@ietf.org>; Sun, 7 Aug 2022 09:58:38 +0300 (EEST)
Date: Sun, 07 Aug 2022 09:58:38 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <Yu9inmpFgfr9epnp@LK-Perkele-VII2.locald>
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <CH0PR11MB544479BFF3107C532AD75172C1619@CH0PR11MB5444.namprd11.prod.outlook.com> <20220806051105.GP3579@akamai.com> <CAMm+LwhwKW6vmy7vu6Q_8Bg-CNtJyzgPJhKEzo9gP85ktnk75g@mail.gmail.com> <7b8fee1c-686b-5202-d639-af34aa19ebff@cs.tcd.ie> <CAMm+LwhpZbhTxo7Vu9REO50f2cCFbKwUCcuhDVmapam4121g5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMm+LwhpZbhTxo7Vu9REO50f2cCFbKwUCcuhDVmapam4121g5Q@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fBHahHrslSmLzMfoMAUcobaPsxs>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2022 06:58:47 -0000
On Sat, Aug 06, 2022 at 02:40:37PM -0400, Phillip Hallam-Baker wrote: > On Sat, Aug 6, 2022 at 1:53 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > > On 06/08/2022 17:47, Phillip Hallam-Baker wrote: > > > Are you proposing pure Kyber or a hybrid though? > > > > I've not heard anyone suggest securing an IETF protocol > > only via PQC algs. It'd be incredibly dim to make that > > suggestion IMO, esp now that two of the 3rd round entries > > have been busted. So I'm not worried that we'd even come > > close to landing there for TLS. I remember hearing proposals to use PQC-only in some IETF stuff. I do not mean hash signatures, which are very solid stuff, but I do not offhand remember any concrete examples. Agreed that it is not a good idea at this point. Another thing to watch out for is stuff that ends up being a complexity nightmare in practice. E.g., multiple certificate chains validated in parallel. > +1 > > Anything the WG does has to be proof against Quantum Cryptanalysis and > LoW (Laptops on Weekends). The fact that the broken algorithms did not > get picked does not change the fact that they made it to the third > round. Actually, there is a big difference in scaryness of the two cases. For Rainbow, as far as I am aware, the key attack techniques were very recent, developed during the second and the third rounds of the NISTPQC. That mostly falls into "new attacks appearing". For SIKE, it is much much worse. The key attack techniques actually _predated_ SIDH (which SIKE is based on) by many years. And that still made it to third round. Now that is scary. Then there was smaller third oops: SABER: During late third round, one well-known lattice crypto researcher asked for cryptoanalysis of the MLWR problem (used in, e.g., SABER). Turns out there is not much. Mostly some folks applying basic smoke tests on it (anything failing those is very broken). -Ilari
- [TLS] PQC key exchange sizes Thom Wiggers
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Stephen Farrell
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Bas Westerbaan
- Re: [TLS] PQC key exchange sizes Rob Sayre
- Re: [TLS] PQC key exchange sizes Sofía Celi
- [TLS] Before we PQC... Re: PQC key exchange sizes Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Peter Gutmann
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Bas Westerbaan
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Robert Relyea
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Thom Wiggers