[TLS] Re: Boring cryptography, and the opposite extreme
Bas Westerbaan <bas@cloudflare.com> Tue, 15 April 2025 10:02 UTC
Return-Path: <bas@cloudflare.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0F6F31C27F39 for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 03:02:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHzorN61j8QT for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 03:02:48 -0700 (PDT)
Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 96B971C27F30 for <tls@ietf.org>; Tue, 15 Apr 2025 03:02:48 -0700 (PDT)
Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-7054f0e933cso41730877b3.1 for <tls@ietf.org>; Tue, 15 Apr 2025 03:02:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1744711308; x=1745316108; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=zBi9/7uBQFgoEXrtMBjevJXh+AVQA3/6e1iuaplOZv0=; b=LmE/5qbKr1SW4dXbr/MKL2Mda5njAsbsFHklAwQzTZkrO9aEA3Zp5NDOyaSgnlJi6e XLNR087L9WtlDDgpx90OXLKI61WMVeOvts3qLUBkByhK7Bz2rE7hjjLvxa4ySgGUwpYK FD++2oAbw8wlcrK0o+SVzQ9FFzJae53y5Ucdytq+8Yagek1f0UrMR7G8PfGYQ/Bgakaf 5oROHO6QflO6TzSJHlGgUVpDvHt7b4LGWfeHqIsuQ1VoE+ozaCyOkcx8IZrRuCCntUhy wlovqltjIFabmIbsLAvMLWQ2ObW1I4+GS0vattg+5afNoB8QVLZFC+csrYx4T53gflA1 L5iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744711308; x=1745316108; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zBi9/7uBQFgoEXrtMBjevJXh+AVQA3/6e1iuaplOZv0=; b=sfP/POR55PF1bDROyt/dyOIDkSs9azjjCKKobHaX+oMgQjoRa+AI4/qiwG99MVL63p utPk3hQE/a958oZG3T68w+LWKFXKpPRbh5bm//raZuccUi+Dwijtsh2FWDclw9f5DWyt s0+Jr1HOMPyJBQ3NLVcAsMkYcV7Xy/9TLJ48Ml+PtSPLy+B/ICszgPdX/kgktRPfF+sY IrUO572IjZiGXvWnsDmCXLFDlfZ9E32qukhCmEUvclTC4cyb53Ihdq+HFDPQz3b7JHpF ctANlcN4ZHs133HmVQL0cSfIL4NKko41JpGq+GvPoRTpQVoRCrQMv0ye9tjtwmLgSbCt xIkQ==
X-Gm-Message-State: AOJu0YwggJAr4KAHr743fNsTkQbfp0QF4drKBJrCWpeSRuFbOz1X8OJR 4pfV8V7qvmQY5kW4mLUEP1FBSBscUdCJjdzHpdJOZOXLmBJir1YitGSuUfpLovrEHQcnf6VqMAI /cyPrw/+E4P0FT009lkdqdfRin4CtoWIJQzVw87z9LLYZ/PbsmNYcEofA
X-Gm-Gg: ASbGncvFicjrdNwFV3G16GAwcDSTnBb8REXASfiEqQWwtRcgtUyU/RX1vX0pOY6Ihx2 f4tCNsrRiHOZqZNAGTUoFs0Bc5erjRkfA/YUzrfIUylLE1Tst6bEvwjQTSvxaNngvchvLTvFXEA +O+1w8GMcQG1ugNIVA5w8Q9kyrFo9oGiDtN7ZQNdXGONzHh3zVTFY=
X-Google-Smtp-Source: AGHT+IHEvXPVWCj/V65ODxH0vG0W2gre+fqbvOuDyqXZDYaJZFodgcgUpni0JVGnX0UIyqHUtYJGjqYSSzFcGxPp1vI=
X-Received: by 2002:a05:690c:6d91:b0:703:b92c:7170 with SMTP id 00721157ae682-705599b662cmr240153547b3.12.1744711308057; Tue, 15 Apr 2025 03:01:48 -0700 (PDT)
MIME-Version: 1.0
References: <20250404181527.159292.qmail@cr.yp.to> <20250415095459.198093.qmail@cr.yp.to>
In-Reply-To: <20250415095459.198093.qmail@cr.yp.to>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 15 Apr 2025 12:01:36 +0200
X-Gm-Features: ATxdqUFjvPV_bjjUVwlC5lgWi8uGVesplTPrBtH6DhzBUqv8wwQqMMJfSbL7e5s
Message-ID: <CAMjbhoViP8pHObYipqshh7H8m-AvdZEjgCKn4Z4OKj3dRwBtqg@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c0f40a0632ce41e6"
Message-ID-Hash: NMOOZEUB25XV233BE5CK4IRXMGUYG4WF
X-Message-ID-Hash: NMOOZEUB25XV233BE5CK4IRXMGUYG4WF
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Boring cryptography, and the opposite extreme
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rjW-WRD_fhl3yZfSu7XCVoZAAjg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
For everyone's convenience: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/RsQbm_AQfzs/m/19o76lsyCwAJ On Tue, Apr 15, 2025 at 11:55 AM D. J. Bernstein <djb@cr.yp.to> wrote: > A message has just appeared on pqc-forum claiming yet another attack > improvement against lattices---improving what are called "dual" attacks > and breaking earlier claims about those attacks not working; concretely, > reducing "the security of Kyber-512/768/1024 by approximately > 3.5/11.9/12.3 bits" below Kyber's security goals in the same cost model > used in the round-3 Kyber submission. > > For comparison, the round-3 Kyber security analysis had claimed that > "primal" attacks for round-3 Kyber-512 (after patches to Kyber-512 in > response to earlier security issues) were ~10 bits above the goals, and > that dual attacks were "significantly more expensive" than that. > > The "significantly" slowdown wasn't quantified, so the reader is left > not even knowing how much improvement there has been. Did these 5 years > of public attack development reduce the costs of Kyber-512 dual attacks > by 20 bits? 30 bits? As for the future, how much farther will the cliff > crumble? We don't know. Continued excitement for researchers! Lattice > attacks today are far less stable than ECC attacks were two decades ago. > > To be clear, I'm not opposing efforts to roll out post-quantum systems: > on the contrary, we have to _try_ to stop quantum attacks. I'm simply > saying that we shouldn't be ripping out seatbelts. > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… John Mattsson
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Thom Wiggers
- [TLS] WG Adoption Call for ML-KEM Post-Quantum Ke… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Russ Housley
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rebecca Guthrie
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaroslav Rosomakho
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sun Shuzhou
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Martin Thomson
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaakov Stein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Kris Kwiatkowski
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Jan Schaumann
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Alicja Kario
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… tirumal reddy
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Yaakov Stein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Joseph Birr-Pixton
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
- [TLS] Boring cryptography, and the opposite extre… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Andrei Popov
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Boring cryptography, and the opposite e… D. J. Bernstein
- [TLS] Re: Boring cryptography, and the opposite e… Bas Westerbaan
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Quynh Dang
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Andrey Jivsov
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Benjamin Kaduk
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
- [TLS] Re: [EXT] Re: Boring cryptography, and the … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Nico Williams
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Andrei Popov
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
- [TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Deirdre Connolly
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Benjamin Kaduk
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Watson Ladd
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Andrey Jivsov
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… S Moonesamy
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… S Moonesamy
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner