Security Cryptography Whatever
Security Cryptography Whatever
Picking Quantum Resistant Algorithms
Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody.
"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
All right, guys, before we hop back into Minecraft, we've got to make sure the US government has a plan to migrate to quantum-resistant cryptography.
Speaker 2:I thought this was solved already. Nsa put out new version of the CNSA algorithm guidelines under my administration. Why can't we just play Minecraft now?
Speaker 3:The children yearn for the mines.
Speaker 2:Stop saying that. Yeah, Obama, there was a NIST competition and everything we already built. Cryptography back better.
Speaker 1:What's left to do? Well, joe, you actually have to build the thing To accomplish something big. You need to go beyond declaring that it should be done and actually make sure it happens.
Speaker 3:Oh wow, Obama read Ezra Klein. Ezra Klein. People don't know this. Let me tell you what people don't know. Ezra Klein co-founded the fake news media Vox Media. He is fake news.
Speaker 1:Ezra Klein is not fake news. I never understood the lyrics to Ezra Klein. Joe, you're thinking of better than Ezra Ezra Klein writes for NYT.
Speaker 2:It was good living with you, barack. Shut up Sleepy.
Speaker 1:Joe, the American people voted for hope and change in 2008, and we have an opportunity to give that to them now with INDCCA secure quantum resistant chems.
Speaker 2:Can't we just swap out the pre-quantum algorithms with post-quantum algorithms? Folks, it's that simple Uh no, it's not.
Speaker 1:The post-quantum algorithms are much bigger than the pre-quantum algorithms and therefore are not suitable for a variety of use cases. We need to rethink some protocols, uh, from the ground up.
Speaker 3:What does DJB say we should do? I only trust DJB's algorithms.
Speaker 1:Who is DJB? Damn it, Joe. We talked about this last time.
Speaker 3:He's the best cryptographer.
Speaker 1:No, he's not. His algorithms didn't even win the NIST competition.
Speaker 3:The NIST competition was a huge fraud. Nist are liars, bad, bad people. At NIST they backdoor Dual EC. People are talking, people are saying they're going to do it again. They're going to backdoor the post-quantum cryptography.
Speaker 2:I thought the NIST competition was won by some Star Wars nerds. That's right, Joe. Kyber was the winning chem, although NIST did rename it to MLChem. What does machine learning have to do with the crystals in the warp core?
Speaker 1:Joe, those are dilithium crystals in the warp core. Kyber crystals are in lightsabers. Dilithium is the signature algorithm, not the key encapsulation algorithm. Kyber is for key encapsulation and ML stands for module lattice, not machine learning. God, what a bunch of nerds. Nist renamed Dilithium to MLDSA.
Speaker 3:That's because.
Speaker 2:NIST hates fun and hates DJB. Shut the fuck up, Donald.
Speaker 1:Also, donald, how could NIST backdoor the algorithms, the NIST PQC algorithms, are all designed by academic cryptographers. Many of them are not even from the US.
Speaker 3:That's unsafe. We need to make cryptography American again.
Speaker 2:Then why did you have Dogecut NSF funding? Donnie, you think someone is?
Speaker 1:going to pretend to be Chris Peichert and submit a backdoored construction as him, and that's going to work.
Speaker 3:Any cryptography contest that DJB doesn't win is a total fraud. Total fraud, peikert has been paid off by big learning with errors, or as I like to call it, columbia University. Besides NIST, doesn't even know when to multiply and when to add exponents.
Speaker 1:This is the problem with all these modern NIST contest theories. They're not even a good movie plot. Your last bit about them paying someone like Peckert off isn't even coherent. They could do that with or without the contest.
Speaker 3:They're going to backdoor the crypto with their woke views, the woke mind virus. It's ruining cryptography.
Speaker 2:Can you just shut up, man Barack? You can't engage with Donnie on this stuff. He'll talk your fucking ear off.
Speaker 3:Now DJB is being silenced by the IETF, even though the IETF violated RFC 9680. Antitrust, big tech, the woke internet society. You can't trust them.
Speaker 1:The IESG clearly ruled that DJB's complaint and appeal wasn't even valid under RFC 2026, section 6.54.
Speaker 2:I agree, we can't trust big tech. Donnie, you shouldn't have fired Lena Kahn, lena.
Speaker 3:Kahn was ruining little tech. Nasty woman that Lena Kahn. Nasty woman. Her whole staff Disastrous, gross incompetence. People say the deputy CTO of the FTC was terrible as well.
Speaker 1:We need to keep this moving. Let's pick some algorithms to use for national security systems.
Speaker 2:That's a great idea, Barack Picking algorithms is easy enough. For each increasing level of classification, we should require an increasing strength of algorithm. That's what we've done for decades.
Speaker 1:Joe, that doesn't make any sense. We should pick the minimum strength algorithm that works for all use cases. Why do you say that Obama Classification level is an application layer concern? However, we have to choose algorithms at the transport layer. There's no good way to signal back if the algorithm needs to change. It's much simpler to always negotiate a baseline level of security that meets the requirements for all classification levels. I never thought of that before. I thought you did network security architecture consulting. How have you never thought of this before?
Speaker 3:I said this before. I'll say it again Sleepy Joe's network diagrams are ruining America. He's ruining America.
Speaker 1:Donald, you're president again. How is Joe still ruining America?
Speaker 3:Joe Biden and Kamala Harris, and their Bidenomics caused a recession.
Speaker 1:No, Donald, you caused a recession.
Speaker 3:We're going to have so much growth and so much quantum-resistant crypto that we will always be winning. Cryptographers are going to get tired from winning.
Speaker 2:Donnie, please, all right, obama, you've convinced me. Johnny, please, all right, obama, you've convinced me. Let's use MLChem 1024 and MLDSA 87 for everything. Those are the strongest parameters. Well, joe, those parameters are quite large. Maybe we should swap MLChem for Falcon. That's also a FIPS algorithm.
Speaker 3:Falcon, what are you smoking? Falcon uses floating point operations. You can't pick an algorithm that uses floating point and expect it to be constant time. Did you hear that people, sleepy Joe, thinks floating point is constant time?
Speaker 2:I'm just a fucking collaborator, I agree with Donald.
Speaker 1:I don't think we should use Falcon Also, donald. We all know what he's smoking. Joe has that dank Biden hash he keeps in his Corvette.
Speaker 3:Yeah, he keeps the drugs with all the classified documents in his stingray.
Speaker 2:No, all the classified documents are in your fucking pool, Donnie. But fine, we won't use Falcon and yes, I'm fucking lit, Okay calm down you two.
Speaker 1:It seems like the rest of the internet standardized on MLChem 768. It would be easier if the US government used the same thing as everyone else rather than MLChem 1024.
Speaker 2:TLS has cipher suite negotiation. What the hell is that for if we can't negotiate MLChem 1024?
Speaker 1:Well, joe, it's not that we can't negotiate it, it's that we can't offer a key prediction of both MLChem 768 and 1024 at the same time.
Speaker 3:Sleepy Joe is so old he doesn't even know the TLS 1.3 key schedule. He's probably still using SSLV2.
Speaker 2:You bet your ass. I know the key schedule and I know you can put more than one key share prediction in the client. Hello, what's not to like, Basically?
Speaker 1:the problem is that the key shares are too damn big Joe. It's too slow, it's too many bytes to offer both these chems are faster than ECDH.
Speaker 2:Performance isn't a problem.
Speaker 1:No, joe, I'm talking about the performance of sending the bytes over the network, not the cryptographic operations themselves. We can't be adding three kilobytes to every client. Hello, just because the US government picked the biggest parameter, set it's head of line blocking and ruins time to largest contentful paint, then they should configure their endpoints to send the right key prediction based on use case.
Speaker 2:This is the CIO's problem to solve.
Speaker 1:I don't think we should be creating unnecessary problems and then requiring the CIO to fix them.
Speaker 2:Okay, then what if we split national security systems off to separate host names and configured them to use MLChem 1024 only?
Speaker 3:Finally, sleepy Joe says something I can agree with. This all works out so long as clients offer 1024 in the supported key agreements but then provide a 768 key share prediction as the default happy path. Cnsa compliant servers will have to configure themselves to only accept 1024.
Speaker 1:That would add an extra round trip to the connection, Donald.
Speaker 2:The government networks are so over-provisioned, who cares about another round trip? We're not an online bookstore. You know what this could work.
Speaker 1:The classified networks are probably not highly latency-sensitive.
Speaker 3:The government is wasting billions of dollars on unused bandwidth. We may as well use some of it for an extra round trip.
Speaker 1:Whatever, Donald, I like this idea. Furthermore, CIOs could optionally configure their clients to predict 1024 and save a round trip on national security systems in exchange for adding a round trip to other sites.
Speaker 2:That would be a privacy leak, Barack.
Speaker 3:The DOD already has their own IP block that de-anonymizes them. They're doxing themselves.
Speaker 1:They've been doxed, that's a good point, donald, but all of this relies on national security systems being able to separate off by host name. Do we think this will work for the public clouds and SaaS providers that the government uses? What happens if there are government for the public clouds and SaaS providers that the government uses? What happens if there are government and non-government clients accessing the same host name? Skill issue it's not a skill issue, it's a legitimate question. This could destroy performance and efficiency for many users, some of whom may be on low bandwidth mobile connections.
Speaker 3:Look, at some point the government is going to need to configure its endpoints. I have a guy for this. He's all about efficiency. I'll put Elon on it.
Speaker 1:Fine, but he still isn't allowed on our Minecraft server.
Speaker 2:Let me invite him in here. No, donnie, once he comes in, he'll want to play Minecraft with us.
Speaker 4:Hell yeah, brother. Dark Maga reporting for duty. God damn it. My heart goes out to all of you.
Speaker 2:Stop saying that.
Speaker 3:Elon is here. He can figure out how to configure the government servers and clients for CNSA 2.0.
Speaker 4:That's right, I'm White House tech support.
Speaker 1:Okay, fine, elon can stay as long as he's constructive. We were just about to move on to talk about signatures.
Speaker 2:Same thing we just do. Mldsa 87 everywhere. What's not to like?
Speaker 1:Joe, once again you've needlessly selected the highest security level, for no reason.
Speaker 2:Extra security grows the economy helps everybody, hurts nobody. It's too damn big.
Speaker 1:Joe, the 14 KB of extra signature bytes number that Google likes to throw around for MLDSA is based on MLDSA 44. It's double that to 28 kilobytes for 87.
Speaker 2:Anything under 64 kilobytes of signatures should be fine for anyone.
Speaker 3:That's not how that quote works, Sleepy Joe.
Speaker 1:Okay. Well, if Elon is here, maybe he can put some of his dog kids to work making ski sign be 10,000x faster. That'd actually be useful, unlike unsubscribing the DOJ from the law review journals.
Speaker 4:And I'm great at cryptography. I end-to-end encrypted all DMs on Twitter after I bought it.
Speaker 2:Yeah, and your scheme sucks. There's a whole podcast episode about it, and now the guy who designed it works for Doge. Can you believe it?
Speaker 4:Some of the things I say will be incorrect and should be corrected.
Speaker 1:You know what, If we're doing host name separation and Elon is going to get each host a certificate chain the size of a fucking floppy disk, then I may as well go fuck myself.
Speaker 3:No, here's what we're going to do. Elon is very rich, very smart. I'm going to have him develop Skysign. We're going to take over that algorithm. We're going to develop it. You said you want a 10,000x speedup. I'll get you a billion percent speedup. We're going to make signatures great again.
Speaker 2:How do you plan on doing that? Any fast isogeny scheme ends up getting broken with five minutes of compute in NumPy on a MacBook Air.
Speaker 4:I'll put SpaceX engineers on it. They're 10x engineers and the best in the world.
Speaker 1:If they're so great, how come your rockets?
Speaker 4:keep blowing up. Ha nice one, barack. I caught a spaceship with chopsticks. Go fuck yourself.
Speaker 1:Actually, yeah, that was pretty dope.
Speaker 3:We can rename SkiSign to the signature algorithm of America, it will be the best algorithm.
Speaker 4:I love.
Speaker 3:America.
Speaker 1:I don't think this is going to work?
Speaker 2:Don't tell us what we're going to feel. We're trying to solve a problem. You don't have the cards. These two are embarrassing Barack, but at least we don't have to talk to JD Vance.
Speaker 3:Tell me about it. I hate talking to JD. I think I'll make him president of Canada, so I don't have to talk to him anymore.
Speaker 2:Canada is never going to be the 51st state. Donny, holy shit you three.
Speaker 1:I know everyone hates JD, but this whole goddamn post-quantum process is embarrassing. Our options are host-name separation with terrible performance, or hope that we can get multiple orders of magnitude speed up in some math that no one understands. This is why no one likes Democrats anymore.
Speaker 2:Are we done here? It's time to play Minecraft.
Speaker 4:Yeah, Dark Minecraft. The children yearn for the mines. What's your server address?
Speaker 3:That's what I said. I've always said the children yearn for the mines. We need to get America back to work, make America great again and get the children back in the mines. They love it, they yearn for it.
Speaker 4:Once we go to Mars, we can start mining the asteroid belt and we can put the children to work on Ceres, just like in the Expanse.
Speaker 1:Elon. I don't think that was supposed to be a positive example of society.
Speaker 4:Concerning, looking, looking into this.
Speaker 2:Someone should investigate this Elon guy.
Speaker 3:I'm done with this conversation. Let me know when you're ready to play Minecraft, obama. Come on, elon, let's go play Minecraft.
Speaker 2:Was that guy on?
Speaker 1:ketamine. Yes, joe, I think he was.
Speaker 2:Well, I'm going to go play Minecraft with him. Anyway, see you later. Barack, we think he was.
Speaker 4:Well, I'm going to go play Minecraft with them anyway, See you later.
Speaker 1:Barack, we've accomplished nothing. Maybe we should just hire some bullshit cryptography agility consultants to fix this for us. Why do I hang out with these fools? Fine, I'll play Minecraft with them.