IETF Logo Mail Archive

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 07 August 2022 06:58 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C065C13CCC4 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2022 23:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRDT3DKEwIr2 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2022 23:58:43 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C5FC15C539 for <tls@ietf.org>; Sat, 6 Aug 2022 23:58:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id EAC9A67E7A for <tls@ietf.org>; Sun, 7 Aug 2022 09:58:39 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 2UItk7TGSpcA for <tls@ietf.org>; Sun, 7 Aug 2022 09:58:39 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 9BE9D2320 for <tls@ietf.org>; Sun, 7 Aug 2022 09:58:38 +0300 (EEST)
Date: Sun, 07 Aug 2022 09:58:38 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <Yu9inmpFgfr9epnp@LK-Perkele-VII2.locald>
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <CH0PR11MB544479BFF3107C532AD75172C1619@CH0PR11MB5444.namprd11.prod.outlook.com> <20220806051105.GP3579@akamai.com> <CAMm+LwhwKW6vmy7vu6Q_8Bg-CNtJyzgPJhKEzo9gP85ktnk75g@mail.gmail.com> <7b8fee1c-686b-5202-d639-af34aa19ebff@cs.tcd.ie> <CAMm+LwhpZbhTxo7Vu9REO50f2cCFbKwUCcuhDVmapam4121g5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMm+LwhpZbhTxo7Vu9REO50f2cCFbKwUCcuhDVmapam4121g5Q@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fBHahHrslSmLzMfoMAUcobaPsxs>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2022 06:58:47 -0000

On Sat, Aug 06, 2022 at 02:40:37PM -0400, Phillip Hallam-Baker wrote:
> On Sat, Aug 6, 2022 at 1:53 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> > On 06/08/2022 17:47, Phillip Hallam-Baker wrote:
> > > Are you proposing pure Kyber or a hybrid though?
> >
> > I've not heard anyone suggest securing an IETF protocol
> > only via PQC algs. It'd be incredibly dim to make that
> > suggestion IMO, esp now that two of the 3rd round entries
> > have been busted. So I'm not worried that we'd even come
> > close to landing there for TLS.

I remember hearing proposals to use PQC-only in some IETF stuff. I do
not mean hash signatures, which are very solid stuff, but I do not
offhand remember any concrete examples. Agreed that it is not a good
idea at this point.

Another thing to watch out for is stuff that ends up being a
complexity nightmare in practice. E.g., multiple certificate chains
validated in parallel.


> +1
> 
> Anything the WG does has to be proof against Quantum Cryptanalysis and
> LoW (Laptops on Weekends). The fact that the broken algorithms did not
> get picked does not change the fact that they made it to the third
> round.

Actually, there is a big difference in scaryness of the two cases.

For Rainbow, as far as I am aware, the key attack techniques were
very recent, developed during the second and the third rounds of the
NISTPQC. That mostly falls into "new attacks appearing".

For SIKE, it is much much worse. The key attack techniques actually
_predated_ SIDH (which SIKE is based on) by many years. And that still
made it to third round. Now that is scary.


Then there was smaller third oops:

SABER: During late third round, one well-known lattice crypto researcher
asked for cryptoanalysis of the MLWR problem (used in, e.g., SABER).
Turns out there is not much. Mostly some folks applying basic smoke
tests on it (anything failing those is very broken).



-Ilari

v2.23.0 | Report a Bug | By Email