IETF Logo Mail Archive

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

Phillip Hallam-Baker <ietf@hallambaker.com> Sun, 07 August 2022 17:24 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00470C14F733 for <tls@ietfa.amsl.com>; Sun, 7 Aug 2022 10:24:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.43
X-Spam-Level:
X-Spam-Status: No, score=-1.43 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T47Lc33Y8bhI for <tls@ietfa.amsl.com>; Sun, 7 Aug 2022 10:24:47 -0700 (PDT)
Received: from mail-oo1-f54.google.com (mail-oo1-f54.google.com [209.85.161.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29324C14F607 for <tls@ietf.org>; Sun, 7 Aug 2022 10:24:47 -0700 (PDT)
Received: by mail-oo1-f54.google.com with SMTP id c17-20020a4a8ed1000000b004452faec26dso437838ool.5 for <tls@ietf.org>; Sun, 07 Aug 2022 10:24:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=urECHhMySj5L9WJ40s+7nHji7ai+eMtWSjkB/Usf2ck=; b=cwX3FUrBbuq7sYrdvYjrZsxvYwmEkz/0IXroHN5F+6MutfH75ys0VgCp1ZnjNWxrBi r3N30r70DOO/viaU3DzcV4ZwDtOWRuzcNkTG35QFFpQN1NkCtrDmcHYcJursBGk5gTUc a9h3yPlAJ2WRfe2XYO7qAw4N6HdbazfFJ2kspzqrhdSB01nTMx5oQ+qtd7ts8oHs/G4f dcWuX/rG+sCLdhg6gaTSiRN6K3qIRu9riOmM8TOCKXPyfe6OExVs1yXEP8VKSPP8nVtA zmxWmpqG3Vl66RW3zxoYXszsL/dHdK3wEzsjXCOrP5IWvZUH2VqFsidXAuhOYcUbwOpL z9Iw==
X-Gm-Message-State: ACgBeo2wngSygXgn/oagVft9IOFQXmw0CiNON0tuQAgn3DE5iG0MeZW3 qTqKOr/3dM4yFtyfu0MKuwSoVpqKHfYiR6WZwy8=
X-Google-Smtp-Source: AA6agR53KlUGz2cDuszClauenwNrXfugCXTyb/LV9IpHMSgDdC6hso7SF/b9Mszb2u8Vv4sVpQluvCAwoVSVfAq4Naw=
X-Received: by 2002:a4a:be06:0:b0:435:8b69:e35b with SMTP id l6-20020a4abe06000000b004358b69e35bmr5463548oop.78.1659893086380; Sun, 07 Aug 2022 10:24:46 -0700 (PDT)
MIME-Version: 1.0
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <CAMm+LwgAzb4t=awzpU4Sb5j7Bf6DuR3u+23n+h_C3Pnsin-SHg@mail.gmail.com> <8383756C-5595-4028-9E5E-8B758147ED33@ll.mit.edu> <CAMm+LwgHNL_aHqK+TbdBf=xJBPftjkXL_=isXUJB+mbiUc7_Lw@mail.gmail.com> <58778bee-ccd8-3b6b-cdf3-7392cd6f3187@riseup.net> <CAMm+LwgJTuhLbfALRLi=w_Uyt5v4Ngv=C+ZhvSPqzezQcC568A@mail.gmail.com> <3cd60870-7c55-ddbd-bb45-181d144685dc@riseup.net>
In-Reply-To: <3cd60870-7c55-ddbd-bb45-181d144685dc@riseup.net>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
Date: Sun, 07 Aug 2022 13:24:35 -0400
Message-ID: <CAMm+LwjXBRW_riWA0X8VQ4xdOGxfseQYkov9wZNKGiX=qFiH=A@mail.gmail.com>
To: Sofía Celi <cherenkov@riseup.net>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c767d005e5a9f9f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n1D70ERL5iKRdrlKdl37GQQtlUA>
Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2022 17:24:51 -0000

On Sun, Aug 7, 2022 at 11:53 AM Sofía Celi <cherenkov@riseup.net> wrote:

> Dear, all,
>
> Late to reply to some emails. I was just travelling ;)
>
> >      > I am now thinking in terms of 'Post Quantum Hardened" and "Post
> >     Quantum
> >      > Qualified". Hardening a system so it doesn't completely break
> >     under QCC
> >      > is a practical near term goal. Getting to a fully qualified
> >     system is
> >      > going to be a root-and-canal job.
> >
> >     There is a notion of being 'quantum annoyant' to a quantum computer:
> >     perhaps that might be an starting point for other schemes that do no
> >     have a post-quantum counterpart as of right now. For others, a hybrid
> >     approach should definitly be taken such that classical cryptography
> >     still protects data.
> >
> >
> > I am using PQC to protect the data and Threshold-ECC to protect the data
> > with separation of roles.
>
> Unfortunately, Threshold-ECC does not have a propely assesed quantum
> secure version. There is some thoughts over here if interested:
>
> https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/cozzo-luov-paper.pdf


Right now, there is little to no interest in applying threshold to data at
rest so it would be ludicrous to make threshold a requirement at this stage.

But data at rest is where about half the breaches occur (the other half
being data in use as in when a database or application has a file in
memory). And separation of roles is our most powerful tool for securing
data at rest. And threshold is the name for cryptographic tools that
enforce separation of roles.

The original reason I went away to do my own stuff is that it is really
difficult to get clarity on the underlying principles when one is focused
on maintenance of a highly constrained system like PKIX/WebPKI, TLS, etc.
So one of the original goals was to have something I could use for
'experiments' and then attempt to apply the same principles to the legacy
systems. Which is what I am doing here.


So no, Threshold PQC (TPQC) is not yet a thing. But now that the NIST
competition is winding down, it looks to me like there are going to be a
large number of out of work cryptographers unless they can find a new
problem to work on.

TPQC signatures are a really low priority for me. Multi signatures work
fine for almost any use case. What I really need are mechanisms for
generating keys from threshold shares and for key agreement split into
threshold shares.

A system that works for n=t=2 (two shares, both required) more than meets
the 80:20 rule.

v2.23.0 | Report a Bug | By Email