Benjamin Kaduk writes:
> And I assume that the bit where ML-KEM-768 is approximately 3% faster than
> X25519 plus ML-KDM-768 is for a microbenchmark scenario where we are just
> doing
> key exchanges and nothing else, so may end up in the noise for some traffic
> patterns
I thought you were asking for the key-exchange timings?
I fully agree that applications are normally doing things other than key
exchange. Looking at current numbers shows that pervasive ECC usage is a
tiny part of total costs---which to me says that _of course_ we should
keep ECC unless and until there's an overwhelming case for removing it.
For example, in 2024, only about 1 out of every 2000 CPU cycles at Meta
was spent on ECC:
https://web.archive.org/web/20250906094758/https://engineering.fb.com/2024/11/12/security/how-meta-built-large-scale-cryptographic-monitoring/
More precisely, what they said is that they spent "0.05%" of cycles on
"X25519 key exchange". This will be close to their total ECC cost, given
the very large fraction of TLS connections that use X25519:
https://web.archive.org/web/20250317194150/https://mailarchive.ietf.org/arch/msg/tls/pQRDJ9MBwnmLHp86Zvs_CfYUFaY/
https://web.archive.org/web/20250414193700/https://mailarchive.ietf.org/arch/msg/tls/vWAEg7E3jeLZjLABVaMVLR0flX4/
https://web.archive.org/web/20250413183440/https://mailarchive.ietf.org/arch/msg/tls/lWh_uimMIgQ6SMV_BSkJDh34eQM/
I find it striking that they portrayed this tiny fraction of Meta's
overall costs as a big expense, with words such as "the sheer volume of
usage". I understand the perspective of a cryptographic engineer happily
saying something like "I saved the company a million dollars", but it's
important to ask whether a cost improvement is coming at the expense of
security. A security incident can easily cause the company vastly more
damage---even ignoring the broader societal damage beyond what companies
end up paying for. This is why, for example,
https://www.forbes.com/sites/stevemorgan/2016/01/27/bank-of-americas-unlimited-cybersecurity-budget-sums-up-spending-plans-in-a-war-against-hackers/
reported the Bank of America CEO saying in 2015 that "the only place in
the company that didn't have a budget constraint was cybersecurity".
---D. J. Bernstein
===== NOTICES =====
This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
