[TLS] PQC key exchange sizes
Thom Wiggers <thom@thomwiggers.nl> Tue, 26 July 2022 12:15 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9036BC1BED0C for <tls@ietfa.amsl.com>; Tue, 26 Jul 2022 05:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_cqf0scY-4R for <tls@ietfa.amsl.com>; Tue, 26 Jul 2022 05:15:48 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C80C1BED07 for <tls@ietf.org>; Tue, 26 Jul 2022 05:15:47 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id n8so5477260yba.2 for <tls@ietf.org>; Tue, 26 Jul 2022 05:15:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=mime-version:from:date:message-id:subject:to; bh=9YrXeoH5zHlxnBW2teOK17+Ohz1DDVhbxb1pf4Jvtfs=; b=NGOJD3VSAJ0BXK/FU0AhpNvZc5LxIxA2qGtj053xk1V5dKuBGnPaoFSFvd6dNxcMDw XD2i4NTR7vFlx/L2w4ALxZFOCdYI65neTXttnUmB+HEXWrnORbewwx3p1OSLKvDLRHnG PwjhTCALB6Zv7GOtE1TB2eAf67/yadZK3kV7w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=9YrXeoH5zHlxnBW2teOK17+Ohz1DDVhbxb1pf4Jvtfs=; b=3FonVlZgzwi4pvEl9g0L1TW17SFS3rcNlVx44Knaj3A1yFesraAWf1z6r7yyzqGMIV CUqKzZpxszoTzyDJRTFQlP04vVAr5KVrU7ZijM2PswEsdYWXK4kP/W0EuuArh4g/YKc3 m0EfQlrw2XHh6UWlEjXeiNIZImht8ZRHqjNzS88mN4bsDvnzRjichSZxHXev4tYdouNy v9Jlti50bVLkUQu6aZWFR4HJnTIyJxZMVCPCg63IUoOYw+i3isl0uYapk2YZ2RNatiNG GLiYrdm+2BEMvtc1yuIxveunO4RVSWHvdIbi8MT5yzpG7Qop36SXOJjPA2d1bfVwBtAC UCEg==
X-Gm-Message-State: AJIora8rAuoSMQ1HDtomJrSOvOtMB/KQ5g/zKKyFt3bCUj2bJyNb7bsx DcaAJllJR4wnSrLRdIWaREEZND0tMNsl0Ep5jIQNLnZ2Vv1tLk5D
X-Google-Smtp-Source: AGRyM1sL8dVvA2EnAXkXdr28VgaO6Cha8Wutk72szySHmP+J+ldF3KRIXsI03qQ8NUvPd6nkoPN4ZtqXqosBBcmjCNg=
X-Received: by 2002:a5b:89:0:b0:671:10c6:4618 with SMTP id b9-20020a5b0089000000b0067110c64618mr10937621ybp.27.1658837745576; Tue, 26 Jul 2022 05:15:45 -0700 (PDT)
MIME-Version: 1.0
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Tue, 26 Jul 2022 14:15:34 +0200
Message-ID: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090c75305e4b442fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vLELZQ7TJlN7gNMfDLEJKlLuihI>
Subject: [TLS] PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 12:15:52 -0000
Hi all, In yesterday’s working group meeting we had a bit of a discussion of the impact of the sizes of post-quantum key exchange on TLS and related protocols like QUIC. As we neglected to put Kyber’s key sizes in our slide deck (unlike the signature schemes), I thought it would be a good idea to get the actual numbers of Kyber onto the mailing list. Note that in the context of TLS’s key exchange, the public key would be what goes into the ClientHello key_shares extension, and the ciphertext would go into the Server’s ServerHello key_shares extension. Kyber512: NIST level I, "strength ~AES128" public key: 800 bytes ciphertext: 768 bytes secret key: 1632 bytes Kyber768: NIST level III, "~AES192" public key: 1184 ciphertext: 1088 secret key: 2400 bytes Kyber1024: NIST level V, "~AES256" public key: 1568 ciphertext: 1568 secret key: 3168 So for the key exchange at least, it seems to me Kyber512 should work for TLS and QUIC just fine; Kyber768 might be a bit of a squeeze if you want to stay in QUIC’s default 1300 byte initial packet? Also, I don't really know how the D of DTLS might change the story. All the numbers we reported are as of the latest version of the individual submissions (except as discussed below). The standards that NIST eventually names FIPS-xyz might have (mildly) different sizes. NIST has said that they’re always happy to receive feedback and information about use cases and constraints. Lastly, Bas Westerbaan has talked about a Kyber draft in yesterday’s CFRG meeting. I believe a stated goal is to use that for coordinating any experiments before the NIST standard is out. So keep an eye out if that interests you. Cheers, Thom PS: Let me also correct the mistake I had introduced in the SPHINCS+ numbers in the TLS talk: SPHINCS+ has indeed gotten slightly smaller than the numbers I reported. The smallest SPHINCS+ variant (sphincs+-128s) has a signature size of 7,856 bytes. There’s a nice table with the different parameter sets of SPHINCS+ on their Github repository https://github.com/sphincs/sphincsplus#parameters. I’m glad that people were paying attention, apparently more than I was :-) I will also clarify that when we mentioned that Falcon needs very careful attention when implementing, this concerns Falcon's signing routines. These require constant-time double-width floating point maths; on many CPUs this will need to be emulated in software. Verification, on the other hand, is a lot less sensitive.
- [TLS] PQC key exchange sizes Thom Wiggers
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Stephen Farrell
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Bas Westerbaan
- Re: [TLS] PQC key exchange sizes Rob Sayre
- Re: [TLS] PQC key exchange sizes Sofía Celi
- [TLS] Before we PQC... Re: PQC key exchange sizes Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Peter Gutmann
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Bas Westerbaan
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Robert Relyea
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Thom Wiggers