Standardizing Pure PQC

Show Notes

Standardizing cryptography involves a lot of opinions. Luckily, the gamer presidents are on it. Come on, you all know the drill.

This is the last time I do this.

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Transcript

0:03

All right, you fools. Let's finish standardizing the use of non-hybrid post quantum key exchange and TLS. I thought NIST already standardized ML-KEM at three security levels, or at least that's what some staffer told me through Mike Donilan. That's right, Joe. But now we need to standardize how to use pure ML-KEM in TLS. I thought that was already done. Haven't those fellows at Chrome and CloudFlare been running this shit for years? It's all rolled out, Jack. Was the hybrid construction. The key exchange contains both an X25519 key and an ML-KEM key, and then the results are combined. Fun fact, that mode is actually FIPS compatible, so long as ML-KEM is on the left, which it is. ML-KEM has been infiltrated by the radical left. You said it yourself, Obama. God dammit, Donald. I meant that it's written as the first parameter on the left hand side of the xor when used as a FIPS compatible hybrid construction. It's the left side of the equation, not the political left. Anyway, we still need to finish standardizing the non-hybrid constructions. If the hybrid constructions are FIPS, why would we ever need a non-hybrid construction? FIPS is woke. Donnie, I told you, if your Doge kids had cut FIPS validation, not have become a Republican. Elon is off making data centers in space. We ran out of time to cut FIPS and iap. Besides me and Elon stopped playing Minecraft together ever since he tricked me into loading into a Minecraft version of Epstein's Island. That's fucking hilarious. Donnie Obama. I don't get it. The hybrid constructions have more cryptography and are therefore more secure. Why are we standardizing non-hybrid constructions? Uh, hybrid constructions are not more secure. What if the new post quantum cryptography is broken? ML-KEM is moon math. Latt are not moon math. They're older now than elliptic curves were when they were deployed. Elliptic curves are moon math. We should all just use 65,536 bit RSA that's secure against a quantum attacker. No, it's not sleepy Joe. Also RSA is quadratic and bit length. That's 1024 times slower than 2 0 4. Eight bit RSA. Do you really wanna wait 1024 times longer for cryptography? Sleepy Joe. Why are you two talking about RSA? We're here to talk about pure PQC. There's plenty of use cases for non-hybrid constructions, including standards like cns, A two back, do what ML-KEM has been back do by NSA. We need to mix in X25519 to make cryptography great again, Donnie, there's not enough bits in the parameter space of ML-KEM to have a secret key back door. Besides NSA, are the people asking to use ML-KEM on their own data? Why would they want to use a broken algorithm for their own top secret data? Nand an international competition. ML-KEM was mostly designed by Europeans anyway, and not NSA great point, Joe. Even worse, I don't want any cryptography from the failing European Union. Their regulations are so bad that even the Olympic medals were falling apart. That is actually true. Go look it up. The EU is just freeloading their knowledge worker class off the backs of hardworking American companies. GDPR is terrible. I do hate cookie prompts. Anyway, uh, let's get back on topic. ML-KEM is a good algorithm and we're all gonna feel a little ridiculous if we're wasting time and compute doing elliptic curve computations once a cryptographically relevant quantum computer exists. Yeah, it's clear the future is PQC only donnie. It doesn't make sense to me that people are simultaneously so worried about the quantum threat they wanna deploy algorithms now, yet at the same time are insisting on hybrids because the new algorithms might be broken. If you think the new algorithms might be broken, why is it important to deploy them? And this competition helps everybody hurts nobody. I was just talking to an expert and he said we can't let the crazy IETF standardize a non-hybrid. And I said, I know it's very sad. The Democrats in the IETF are ruining cryptography in this country. Who were you talking to? It was an expert. I call him Mr. Tom. Let me get him in here. Ground control to Mr. Tom. Let's say Pius. What the fuck? Here it is. My good friend, Mr. Tom Riddle spoken like a true politician. What the fuck? Donald Tom Riddle. He's Voldemort. Where did you find Voldemort? He was posting on the IETF mailing lists, but the ministry keeps censoring him. I am being silenced for my opinions. The ministry, you mean the TLS WG chairs and the IESG? This censorship is a continuing assault against I ETF's promise of openness. Uh, I can't believe we're doing this. The chairs refuse to acknowledge his blocking objection. Blocking objection? Rough consensus isn't veto based. The most important objection is that using non-hybrid PQ instead of ECC plus PQ creates unnecessary security risks. After Google and CloudFlare had used CECPQ2b to encrypt tens of millions of real user connections, the SIKE component of CECPQ2b was publicly ripped to shreds. The only reason that the weakness of SIKE didn't immediately expose the CECPQ2b encrypted user data to attackers is that CECPQ2b was a hybrid with ECC. First off, that was a completely different algorithm at a completely different stage of development seven years ago. Second, it was a different experiment that had SIKE in it. Third SIKE isn't even lattice based. It uses isogenies. The chair has nevertheless abused their power to declare consensus on adopting the document. My objections to this consensus call, were met with a series of runarounds. No. Your complaints were completely invalid and not based in reality. We should run a new consensus call with more clear wolves. I suggest that the current WGLC be scrapped. Why would a third consensus call have a different outcome? I was caught by surprise regarding the advanced nature of this controversial and likely harmful draft. Bullshit. Another consensus call feels like it is only beneficial to people who didn't like the outcome of the first consensus calls. Exactly. Barack, we should get some Wikipedia admins in here. They could clean this thread up in a Jiffy. The failing ad should address Mr. Tom's points on the record, the ad who lived come to lie. Uh, it does seem like you're abusing process and threatening integrity just because your algorithms weren't standardized. Barack. We gotta shut this down or he'll talk his own nose off. I'm not the only person with objections. Draco. Malfoy also objected. Your god damn student objected. This is clearly a brigade Barack. There are good people on both sides. I booted him. Thank God you really have a quite a group chat. Donnie. You can't do that. You can't kick out Mr. Tom. I'll see you in court. I think you mean on MODPOD. Donnie. Wow, this was a disaster. I should start writing standards somewhere else like C2SP great idea Obama. Donnie, shouldn't you be monitoring the situation in Iran? I am monitoring it. How do you like the performance? I thought you said you were gonna stop all Wars. Donnie, I hear Ayatollah Rasm and his cadre of fanatics are consolidating their power. That Ayatollah thinks he's better than America. I'm gonna sock it to him in style. I'm tired of all this talk about cryptography. Let's go play Fortnite. You guys have fun? I'm gonna go drinking with Pete Hegseth at Mar-a-Lago. You know the browsers are going to implement this no matter what. There's customer demand. Stop doing this to yourself, Barack. Fine. Uh, let's go play Fortnite.