D. J. Bernstein wrote: >as far as I know there was only one other cryptographer on record >recommending against using SIKE.
I am on record multiple times recommending against using _any_ non-standard or paywalled algorithms. That includes Kyber, Dilithium, FrodoKEM, Falcon, Sphinx+, Classic McEliece, NewHope, NTRU, NTRU Prime, and SIKE…. Sometimes NSA has very good advice: ”NSS customers are reminded that NSA does not recommend and policy does not allow implementing or using unapproved, non-standard or experimental cryptographic algorithms.” https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF I think it is very sad that deploying a lot of non-standard and experimental cryptographic algorithms gives a lot of positive media attention… NIST does not deserve any criticism for continuing to evaluate SIKE. I would also like to see more evaluation of CSIDH where you according to this paper don’t agree that the “conservative parameters” suggested by other researchers are needed. https://thomwiggers.nl/publication/secsidh/secsidh.pdf Cheers, John From: TLS <tls-boun...@ietf.org> on behalf of D. J. Bernstein <d...@cr.yp.to> Date: Wednesday, 8 November 2023 at 01:07 To: tls@ietf.org <tls@ietf.org> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? Yoav Nir writes: > To justify a hybrid key exchange you need people who are both worried > about quantum computers and worried about cryptanalysis or the new > algorithms, but are willing to bet that those things won’t happen at > the same time. Or at least, within the time where the generated key > still matters. Google and Cloudflare encrypted quite a bit of actual user data using SIKE: https://blog.cloudflare.com/the-tls-post-quantum-experiment/ The only reason this didn't give the user data away to today's attackers is that Google and Cloudflare had the common sense to insist that any post-quantum algorithm be added as a second layer of encryption on top of the existing X25519 layer, rather than removing the existing layer. That was in 2019. For anyone who thinks a few years of subsequent study were enough for the public to identify which post-quantum cryptosystems are breakable, it's useful to look at NIST's official report https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-20e9e0536295785e&q=1&e=5d9194af-1af7-4655-94f5-fbb34782df29&u=https%3A%2F%2Fweb.archive.org%2Fweb%2F20220705160405%2Fhttps%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2Fir%2F2022%2FNIST.IR.8413.pdf in July 2022 saying that * SIKE is "being considered for future standardization"; * regarding NIST deciding to throw away FrodoKEM: "While NIST intends to select at least one additional KEM not based on structured lattices for standardization after the fourth round, three other KEM alternates (BIKE, HQC, and SIKE) are better suited than FrodoKEM for this role"; * "SIKE remains an attractive candidate for standardization because of its small key and ciphertext sizes"; * regarding NIST delaying a decision on Classic McEliece: "For applications that need a very small ciphertext, SIKE may turn out to be more attractive"; * regarding torsion-point attacks: "there has been no impact on SIKE". SIKE had been advertised in 2021 (https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-0d78d4ebd1667da1&q=1&e=5d9194af-1af7-4655-94f5-fbb34782df29&u=https%3A%2F%2Feprint.iacr.org%2F2021%2F543) as "A decade unscathed". I think I was the only person speaking up to object (https://twitter.com/hashbreaker/status/1387779717370048518), and as far as I know there was only one other cryptographer on record recommending against using SIKE. ---D. J. Bernstein
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
