Sophie SchmiegFeb 10
Has anyone done a macroeconomic analysis of the costs of the PQC migration?
It seems hard to estimate, but it feels like a number with way too many zeros after it.
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Feb 10
@sophieschmieg I suspect you probably can’t for another five or more years. The push to do TLS everywhere drove things like AES hardware in CPUs and TLS offload and termination in NICs. It’s still consuming more power than not doing it, but the power cost now is much lower than it was before all of this, so I wouldn’t be surprised if it ended up being a net saving. At the moment, only a handful of folks are looking at hardware offload for PQC and it’s not clear to me if there will be additional benefits from the hardware people are building for it (it may just be cost).
Show threadbalooFeb 10

@david_chisnall @sophieschmieg I don't believe there is any benefit of hardware offload for PQC.
PQC is only used for key agreement or signature, which is a very small part of a TLS flow. Encryption is still going to stay AES or Chacha.

I believe this was meant for the amount of (human) work required to prototype, collaborate, specify, certify and deploy.

To be honest, the most problematic portion at the moment is the lack of support for secure storage (HSMs, TPMs, yubikeys, ...) of PQC private keys. And this won't happen for a little while.

Show threadbalooFeb 10
@david_chisnall @sophieschmieg Add on top of that the problems created by the current US admin when they cut jobs at NIST (which costs every more _time_ for everyone)
Show threadSophie SchmiegFeb 10
@david_chisnall @baloo yeah, I think hardware offloads are not the most interesting aspect of the solution here. Roughly speaking, the cost falls into two buckets, the engineering cost and the operational cost. Both currently have huge error bars on them, especially since the operational cost is mainly in bandwidth, which is much harder to model cost for when compared to compute. Add to that that you can partially trade off operational costs with engineering costs and you get something you need to have an engineering degree and an economics degree to do cost modeling for.
Show threadbalooFeb 10

@sophieschmieg @david_chisnall I mainly work around code-signing use-cases. The larger signatures are definitely hard to retrofit in existing systems.

This is a major engineering cost for us.

Show threadbaloo

@sophieschmieg @david_chisnall That and CPU vendors doing their own thing because why not.

Out of every solutions out there, they made an effort in picking the worst one.

Feb 10 at 7:20pmWeb