Is it sizable? I have talked to enough people who feel the need to say “yes”.
The other thing to consider is the cost. If it is essentially free, I believe we can make a reasonable case to add it, even if the benefit is only moderate. If it is costly, then we really need to consider if it is worth it. As for the costs, here is what I can see: * Additional computation: ECDH is fairly efficient, and so the cost there is reasonable * Additional bandwidth: ECDH is ridiculously small compared to Kyber (which is what we’d be using anyways), and so that comes close to being ignorable * Additional complexity: I’m assuming that, in the intermediate term, most implementations will need to implement ECDH (for backwards compatibility) in addition to Kyber, and so the requirement to implement that is not actually an addition. The other complexity is the need to compute the Kyber and ECDH shared secret; there are a number of proposed options (ranging from “just hash the two together” to fancier constructions designed to address various subtle issues), however even in the most complex proposal, it’s still not that bad. Is there a cost I’m missing (or did I mischaracterize one of them)? If there is some demand and the cost is reasonable (albeit not “essentially free”), I don’t see a reason not to include it as an option. From: Yoav Nir <ynir.i...@gmail.com> Sent: Tuesday, November 7, 2023 11:36 AM To: Scott Fluhrer (sfluhrer) <sfluh...@cisco.com> Cc: Watson Ladd <watsonbl...@gmail.com>; Kris Kwiatkowski <k...@amongbytes.com>; Bas Westerbaan <b...@cloudflare.com>; TLS List <TLS@ietf.org> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? For signatures or keys in something like a certificate, I understand how you would want to have both the PQ and classical keys/sigs in the same structure, so satisfy those who want the classical algorithm and those who prefer the post-quantum. For key exchange? For the most part a negotiation is good enough, no? To justify a hybrid key exchange you need people who are both worried about quantum computers and worried about cryptanalysis or the new algorithms, but are willing to bet that those things won’t happen at the same time. Or at least, within the time where the generated key still matters. I’m sure it’s not an empty set of people, but is it sizable? On 7 Nov 2023, at 10:29, Scott Fluhrer (sfluhrer) <sfluhrer=40cisco....@dmarc.ietf.org<mailto:sfluhrer=40cisco....@dmarc.ietf.org>> wrote: The problem with the argument “X trusts Kyber, so we don’t need hybrid” (where X can be “NIST” or “the speaker”) is that trust, like beauty, is in the eye of the beholder. Just because NIST (or any other third party) is comfortable with just using Kyber (or Dilithium) does not mean that everyone does. As long as there are a number of users that don’t quite trust fairly new algorithms, there will be a valid demand for using those new algorithms with older ones (which aren’t postquantum, but we are moderately confident that are resistant to conventional cryptanalysis). From: TLS <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org>> On Behalf Of Watson Ladd Sent: Monday, November 6, 2023 2:44 PM To: Kris Kwiatkowski <k...@amongbytes.com<mailto:k...@amongbytes.com>> Cc: Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org<mailto:bas=40cloudflare....@dmarc.ietf.org>>; TLS List <TLS@ietf.org<mailto:TLS@ietf.org>> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? Why do we need FIPS hybrids? The argument for hybrids is that we don't trust the code/algorithms that's new. FIPS certification supposedly removes that concern so can just use the approved PQ implementation. _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
