On 07/03/2024 03:57, Bas Westerbaan wrote:
We think it's worth it now, but of course we're not going to keep
hybrids around when the CRQC arrives.
Sure, but for now we gain substantial security margin* against
implementation mistakes, advances in cryptography, etc.
On the perf/cost side, we're already making a large number of
sub-optimal choices (use of SHA-3, use of Kyber in TLS rather than a CPA
scheme, picking 768 over 512, etc), we can easily 'pay' for X25519 if
you really wanted. I think if handshake cycles really mattered then we'd
have shown RSA the door much more quickly [1].
Best,
Dennis
* As in, actual security from combination of independent systems, not
the mostly useless kind from using over-size primitives.
[1] https://blog.cloudflare.com/how-expensive-is-crypto-anyway
Best,
Bas
On Thu, Mar 7, 2024 at 1:56 AM Dennis Jackson
<ietf=40dennis-jackson...@dmarc.ietf.org> wrote:
I'd like to understand the argument for why a transition back to
single
schemes would be desirable.
Having hybrids be the new standard seems to be a nice win for
security
and pretty much negligible costs in terms of performance,
complexity and
bandwidth (over single PQ schemes).
On 07/03/2024 00:31, Watson Ladd wrote:
> On Wed, Mar 6, 2024, 10:48 AM Rob Sayre <say...@gmail.com> wrote:
>> On Wed, Mar 6, 2024 at 9:22 AM Eric Rescorla <e...@rtfm.com> wrote:
>>>
>>>
>>> On Wed, Mar 6, 2024 at 8:49 AM Deirdre Connolly
<durumcrustu...@gmail.com> wrote:
>>>>> Can you say what the motivation is for being "fully
post-quantum" rather than hybrid?
>>>> Sure: in the broad scope, hybrid introduces complexity in the
short-term that we would like to move off of in the long-term -
for TLS 1.3 key agreement this is not the worst thing in the world
and we can afford it, but hybrid is by design a hedge, and
theoretically a temporary one.
>>>
>>> My view is that this is likely to be the *very* long term.
>>
>> Also, the ship has sailed somewhat, right? Like Google Chrome,
Cloudflare, and Apple iMessage already have hybrids shipping (I'm
sure there many more, those are just really popular examples). The
installed base is already very big, and it will be around for a
while, whatever the IETF decides to do.
> People can drop support in browsers fairly easily especially for an
> experimental codepoint. It's essential that this happen: if
everything
> we (in the communal sense) tried had to be supported in
perpetuity, it
> would be a recipe for trying nothing.
>
>> thanks,
>> Rob
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
