IETF Logo Mail Archive

[TLS] Re: [EXT] Re: ML-DSA in TLS

"D. J. Bernstein" <djb@cr.yp.to> Thu, 28 November 2024 19:38 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE547C1519AD for <tls@ietfa.amsl.com>; Thu, 28 Nov 2024 11:38:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, PP_MIME_FAKE_ASCII_TEXT=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTBQevvlxlMq for <tls@ietfa.amsl.com>; Thu, 28 Nov 2024 11:38:30 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id B9B01C151527 for <tls@ietf.org>; Thu, 28 Nov 2024 11:38:30 -0800 (PST)
Received: (qmail 30219 invoked by uid 1010); 28 Nov 2024 19:38:29 -0000
Received: from unknown (unknown) by unknown with QMTP; 28 Nov 2024 19:38:29 -0000
Received: (qmail 1032007 invoked by uid 1000); 28 Nov 2024 19:38:17 -0000
Date: Thu, 28 Nov 2024 19:38:17 -0000
Message-ID: <20241128193817.1032005.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <BN0P110MB1419ECE0F462E249E76950399029A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
Message-ID-Hash: WFJ35HNBT7XCMGAL46M4HAILRUMMSY2E
X-Message-ID-Hash: WFJ35HNBT7XCMGAL46M4HAILRUMMSY2E
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gB55YMMdfFLqaCE9ughNXX8qjtA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Blumenthal, Uri - 0553 - MITLL writes:
> You don’t really need PQ DSA until CRQC is here. At this point,
> everybody seems to agree that there is time before CRQC arrives. So,
> keep studying/exploring/attacking PQ DSA, and prepare code and
> infrastructure to deploy it – but use ECC for now. . . . .

I disagree. Attackers won't tell us when they have a quantum computer,
and upgrading can take a long time.

My objection to the draft is different: the draft is taking unnecessary
risks by using PQ instead of ECC+PQ.

    [ tirumal reddy writes: ]
> > The deployment timeline for new algorithms and standards is lengthy.
> Of course. But we aren’t talking about new algorithms here! Unless you
> consider ECC and/or RSA that have been in the deployed codebases for
> ages now – new?

Depending on the environment, simple one-line configuration changes can
take years to roll out even when the software is already sitting there.
Getting all TLS applications to accept PQ signatures won't be a fast
process even after the software is completely ready. If people then
learn that the PQ system is broken then getting all TLS applications to
_stop_ accepting PQ signatures won't be a fast process. This means a
long period of known vulnerability (looking at the whole ecosystem, not
just the portions that are fastest to upgrade), plus however many years
attackers are secretly exploiting the same vulnerability.

Please withdraw your claim that there's "no damage possible (at least,
in the TLS context) caused by PQ DSA break".

> if/when CTQC arrives – ECC (or any other Classic algorithm) become useless

"Concretely, think about a demo showing that spending a billion dollars
on quantum computation can break a thousand X25519 keys. Yikes! We
should be aiming for much higher security than that! We don't even want
a billion-dollar attack to be able to break _one_ key! Users who care
about the security of their data will be happy that we deployed
post-quantum cryptography. But are the users going to say 'Let's turn
off X25519 and make each session a million dollars cheaper to attack'?
I'm skeptical. I think users will need to see much cheaper attacks
before agreeing that X25519 has negligible security value."

> As for PQ algorithms maturity
  [ miscellaneous timeline statements saying nothing about attacks ]

Evaluating security risks requires looking at the attack surface,
including known attacks and avenues for further attacks. Lattices are
continuing to lose security every year; it's amazing to look back at
https://eprint.iacr.org/2010/613 estimating security 2^150 for a
proposal with lattice dimension 256.

---D. J. Bernstein

v2.37.1 | Report a Bug | By Email | System Status