Benjamin Kaduk writes:
> the numbers here are *not* conclusive for all possible use cases and
> deployment contexts.
Sure, but if anyone had a real example of a TLS application where
removing ECC makes the difference for PQ deployability then we would
have seen the example by now (and the WG could proceed to an informed
discussion of whether supporting that application is worth incurring
security risks), rather then hearing just _insinuations_ of the cost
difference mattering.
GCHQ posted a "greater costs ... less efficient" anti-hybrid argument
online in November 2023. I pointed out in January 2024 that (1) GCHQ's
claims lead the reader to think that the cost difference here is
_important_, (2) GCHQ hadn't given any cost numbers, and (3)
quantification indicates that the cost difference _isn't_ important:
https://blog.cr.yp.to/20240102-hybrid.html
The non-hybrid draft was posted later that year with a short, circular
motivation section. A request for motivation was answered with "CNSA 2.0
compliance" and, strikingly, an admission that "we can afford" to keep
the ECC seatbelt:
https://web.archive.org/web/20250613195524/https://mailarchive.ietf.org/arch/msg/tls/qFRxBSnEPJcdlt7MO0cIL2kW5qc/
The closest this came to presenting an engineering rationale for the
draft, rather than the do-what-NSA-says rationale, was a claim that we'd
like to remove the "complexity" of ECC+PQ. But Andrey Jivsov pointed out
that this draft _increases_ complexity, given that ECC+PQ is (for good
reasons!) there anyway:
https://web.archive.org/web/20250613195524/https://mailarchive.ietf.org/arch/msg/tls/uOmcMEqlyekrvcOgdsf7GtIlf3w/
There was no reply to this objection.
Meanwhile the official NSA PDF that was cited for the compliance claim
actually contradicts the claim: the PDF says "hybrid solutions may be
allowed or required due to protocol standards". An updated official NSA
PDF from 2025 says the same thing:
https://web.archive.org/web/20250827175413/https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF
The TLS WG simply has to hold the line, standardize ECC+PQ, and refuse
any endorsement of non-hybrid PQ.
Apparently the Whac-a-Mole game now returns to cost claims, misleading
some observers into thinking that there was a serious dispute about the
affordability of keeping ECC. Meanwhile IETF management works on rolling
out new procedures that allow permanent IETF bans of people issuing
"incessant requests for evidence", as if the problem were with the
requests for evidence rather than with the unjustified claims that those
requests are challenging.
---D. J. Bernstein
===== NOTICES =====
This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
