IETF Logo Mail Archive

[TLS] PQC key exchange sizes

Thom Wiggers <thom@thomwiggers.nl> Tue, 26 July 2022 12:15 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9036BC1BED0C for <tls@ietfa.amsl.com>; Tue, 26 Jul 2022 05:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_cqf0scY-4R for <tls@ietfa.amsl.com>; Tue, 26 Jul 2022 05:15:48 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C80C1BED07 for <tls@ietf.org>; Tue, 26 Jul 2022 05:15:47 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id n8so5477260yba.2 for <tls@ietf.org>; Tue, 26 Jul 2022 05:15:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=mime-version:from:date:message-id:subject:to; bh=9YrXeoH5zHlxnBW2teOK17+Ohz1DDVhbxb1pf4Jvtfs=; b=NGOJD3VSAJ0BXK/FU0AhpNvZc5LxIxA2qGtj053xk1V5dKuBGnPaoFSFvd6dNxcMDw XD2i4NTR7vFlx/L2w4ALxZFOCdYI65neTXttnUmB+HEXWrnORbewwx3p1OSLKvDLRHnG PwjhTCALB6Zv7GOtE1TB2eAf67/yadZK3kV7w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=9YrXeoH5zHlxnBW2teOK17+Ohz1DDVhbxb1pf4Jvtfs=; b=3FonVlZgzwi4pvEl9g0L1TW17SFS3rcNlVx44Knaj3A1yFesraAWf1z6r7yyzqGMIV CUqKzZpxszoTzyDJRTFQlP04vVAr5KVrU7ZijM2PswEsdYWXK4kP/W0EuuArh4g/YKc3 m0EfQlrw2XHh6UWlEjXeiNIZImht8ZRHqjNzS88mN4bsDvnzRjichSZxHXev4tYdouNy v9Jlti50bVLkUQu6aZWFR4HJnTIyJxZMVCPCg63IUoOYw+i3isl0uYapk2YZ2RNatiNG GLiYrdm+2BEMvtc1yuIxveunO4RVSWHvdIbi8MT5yzpG7Qop36SXOJjPA2d1bfVwBtAC UCEg==
X-Gm-Message-State: AJIora8rAuoSMQ1HDtomJrSOvOtMB/KQ5g/zKKyFt3bCUj2bJyNb7bsx DcaAJllJR4wnSrLRdIWaREEZND0tMNsl0Ep5jIQNLnZ2Vv1tLk5D
X-Google-Smtp-Source: AGRyM1sL8dVvA2EnAXkXdr28VgaO6Cha8Wutk72szySHmP+J+ldF3KRIXsI03qQ8NUvPd6nkoPN4ZtqXqosBBcmjCNg=
X-Received: by 2002:a5b:89:0:b0:671:10c6:4618 with SMTP id b9-20020a5b0089000000b0067110c64618mr10937621ybp.27.1658837745576; Tue, 26 Jul 2022 05:15:45 -0700 (PDT)
MIME-Version: 1.0
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Tue, 26 Jul 2022 14:15:34 +0200
Message-ID: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090c75305e4b442fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vLELZQ7TJlN7gNMfDLEJKlLuihI>
Subject: [TLS] PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 12:15:52 -0000

Hi all,

In yesterday’s working group meeting we had a bit of a discussion of the
impact of the sizes of post-quantum key exchange on TLS and related
protocols like QUIC. As we neglected to put Kyber’s key sizes in our slide
deck (unlike the signature schemes), I thought it would be a good idea to
get the actual numbers of Kyber onto the mailing list.

Note that in the context of TLS’s key exchange, the public key would be
what goes into the ClientHello key_shares extension, and the ciphertext
would go into the Server’s ServerHello key_shares extension.

Kyber512: NIST level I, "strength ~AES128"
  public key: 800 bytes
  ciphertext: 768 bytes
  secret key: 1632 bytes
Kyber768: NIST level III, "~AES192"
  public key: 1184
  ciphertext: 1088
  secret key: 2400 bytes
Kyber1024: NIST level V, "~AES256"
  public key: 1568
  ciphertext: 1568
  secret key: 3168

So for the key exchange at least, it seems to me Kyber512 should work for
TLS and QUIC just fine; Kyber768 might be a bit of a squeeze if you want to
stay in QUIC’s default 1300 byte initial packet? Also, I don't really know
how the D of DTLS might change the story.

All the numbers we reported are as of the latest version of the individual
submissions (except as discussed below). The standards that NIST eventually
names FIPS-xyz might have (mildly) different sizes. NIST has said that
they’re always happy to receive feedback and information about use cases
and constraints.

Lastly, Bas Westerbaan has talked about a Kyber draft in yesterday’s CFRG
meeting. I believe a stated goal is to use that for coordinating any
experiments before the NIST standard is out. So keep an eye out if that
interests you.

Cheers,

Thom

PS: Let me also correct the mistake I had introduced in the SPHINCS+
numbers in the TLS talk: SPHINCS+ has indeed gotten slightly smaller than
the numbers I reported. The smallest SPHINCS+ variant (sphincs+-128s) has a
signature size of 7,856 bytes. There’s a nice table with the different
parameter sets of SPHINCS+ on their Github repository
https://github.com/sphincs/sphincsplus#parameters. I’m glad that people
were paying attention, apparently more than I was :-)

I will also clarify that when we mentioned that Falcon needs very careful
attention when implementing, this concerns Falcon's signing routines. These
require constant-time double-width floating point maths; on many CPUs this
will need to be emulated in software. Verification, on the other hand, is a
lot less sensitive.

v2.23.0 | Report a Bug | By Email