IETF Logo Mail Archive

[TLS] Re: [EXT] Re: Concerns about the current draft.

"D. J. Bernstein" <djb@cr.yp.to> Fri, 29 August 2025 22:57 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CB9975AE143D for <tls@mail2.ietf.org>; Fri, 29 Aug 2025 15:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 124uIQ3nAfZw for <tls@mail2.ietf.org>; Fri, 29 Aug 2025 15:57:52 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 2B98F5AE1438 for <tls@ietf.org>; Fri, 29 Aug 2025 15:57:52 -0700 (PDT)
Received: (qmail 855587 invoked by uid 1010); 29 Aug 2025 22:57:51 -0000
Received: from unknown (unknown) by unknown with QMTP; 29 Aug 2025 22:57:51 -0000
Received: (qmail 229584 invoked by uid 1000); 29 Aug 2025 22:57:39 -0000
Date: Fri, 29 Aug 2025 22:57:39 -0000
Message-ID: <20250829225739.229582.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <BN0P110MB14194C93A39098A840A1932C903AA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
Message-ID-Hash: FPSZPYH6J6XMWNZHYETSCHSO7DH7CCJU
X-Message-ID-Hash: FPSZPYH6J6XMWNZHYETSCHSO7DH7CCJU
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kNC4gAxR5ZJ8b8DfhtwVRNlRnwY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> > One of the talks at Crypto 2025 last week said that none of the Kyber
> > parameters meet their claimed security levels.
> Details and specifics, please?

The paper is a recent update of https://eprint.iacr.org/2022/1750: "the
security levels for Kyber-512/768/1024 are 3.5/11.9/12.3 bits below the
NIST requirements (143/207/272 bits) in the same nearest-neighbor cost
model as in the Kyber submission".

The numbers should have been reported as ranges: analyzing the costs of
known lattice attacks actually involves many uncertainties that together
can push the security levels up or down by >10 bits. For the same
reason, I agree with a comment "there remains a few bits to be gained by
cryptanalysts before the security levels would be convincingly crossed"
from a member of the Kyber team in April. But the same analysis fog,
together with the attack improvements, means that Kyber could have even
_lower_ security levels against the paper's attack than the paper says,
never mind further attack improvements.

The Kyber team's last security analysis was in 2021 and claimed 151 bits
plus or minus various uncertainties. This new paper just a few years
later is >10 bits better. This _isn't_ from the originally identified
uncertainties being resolved in a way that happened to be unlucky for
Kyber. Specifically, the 2021 analysis

    https://web.archive.org/web/20230310174959/https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf

said "Our first point is that, while the core-SVP hardness methodology
suggest that the dual attack is slightly cheaper than the primal one, it
is in fact significantly more expensive"; the new paper is a much faster
dual attack (and avoids the disputes about some earlier dual attacks).
Primal attacks have also improved by >10 bits, for example via "hybrid"
attacks; the 2021 analysis had portrayed those attacks as merely
threatening "very low noise" and not Kyber.

Dismissing the advances here because the attack costs haven't reached
the demo level yet is the same conceptual mistake as dismissing quantum
computation because Shor's algorithm hasn't been demonstrated on any
real examples yet. One can, of course, hope for the advances to stop,
but this doesn't mean one should be blind to the advances.

In any event, Kyber's original security claims are not justifiable
today. For the same reason, NIST should withdraw its claims that ML-KEM
is as hard to break as AES-128/192/256.

---D. J. Bernstein

v2.36.0 | Report a Bug | By Email | System Status