Filippo Valsorda1d ago

Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.

That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.

https://words.filippo.io/crqc-timeline/

A Cryptography Engineer’s Perspective on Quantum Computing Timelines

The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

Show threadohir

@filippo
> In symmetric encryption, we don’t need to do anything, thankfully

Ok. So the IoT garden must rewind to the Kerberos or physical provisioning. I can't imagine lattices on small silicon yet.

Thank you, Filippo.

Apr 6 at 10:35pmWeb
Show threadm_eiman1d ago
@ohir @filippo I’m involved in modernizing crypto for protocol that needs to work at 9600 baud. These key sizes are going to be a terrible problem… and that’s just the bandwidth side, them there”s RAM and CPU on small embedded devices.
Show threadFilippo Valsorda1d ago
@mikaeleiman @ohir yup, it's not great, but it is what it is. (RAM is kinda fine if you optimize for it, and CPU is actually faster than classical. But yes, size sucks.)
Show threadKoos Pol 🇺🇦23h ago
@filippo @mikaeleiman @ohir Small devices which are part of a bigger system, but which are unable to take care of themselves should be behind a gateway/proxy anyway.
Show threadm_eiman23h ago
@KoosPol @filippo there’s no gateway to hide behind in this case unfortunately, it’s all small devices (and no Internet involved). And we’d like to be able to firmware update existing devices to the new stuff, replacing with new hardware would be very expensive.
Show threadKoos Pol 🇺🇦22h ago
@mikaeleiman @filippo Then you have an system architecture problem. You can't have important devices in operation without proper safeguards. And if one of the safeguards is crypto, while these devices can't deliver, then you need to tuck them behind a gateway. And if you can't then the devices aren't important enough. You can't have the cake and eat it.
Show threadm_eiman21h ago

@KoosPol @filippo That's why I'm looking forward to someone coming up with a quantum resistant variant of key exchange with smaller keys that's workable for smallish embedded MCUs :]

Currently it's looking like there's no way forward for our users that's not expensive, disruptive and time consuming.

Show threadohir17h ago

@KoosPol @filippo @mikaeleiman
> should be behind a gateway/proxy anyway

IoT devices are not expected to have any external protection. This is a consumer market. We can not expect home owner to provide secure environment before they change old dumb LED-bulb for a new one equipped with BLE, motion sensors and microphones. Whether they use "smart" features of this bulb or not.

Then we have many mandated by law devices that must be put in the car for safety and for national security reasons. A prime example are the direct TPMS sensors. E.g. a hackable TPMS in the tire will not deny our abilities to accurately monitor the good actors movements, but it may afflict our ability to track movements of the bad actors were they able to tamper with emitted by the tire IDs to mimic a secure-facility employee's car.

Show threadKoos Pol 🇺🇦27m ago
@ohir @filippo @mikaeleiman For the consumer market i.r.t iot devices crypto is hardly relevant. Either you're a sysadmin and you've got your safe guards in place (e.g. vlan separation) or you're legally blonde and already clicked every permission your phone asked you to. In both cases PQ is "greenwasning".
But, I do strongly agree with you this needs legislation. Because then we can tackle the whole field.
Show threadohir1d ago

@mikaeleiman
> there”s RAM and CPU on small embedded devices.

This. You can think of attesting just KDC with ML signature, likely, on some bigger silicon, but not on a half of coming cheap STM lines for example.

Time to study rfc4120 and siblings :(

@filippo

I'd like to ask whether migrating Ed25519 to Ed448 makes any sense? At least temporarily. Setting aside all that owful implementation disadvantages of Ed448.

Show threadFilippo Valsorda1d ago
@ohir @mikaeleiman nope, the distance between now and Ed25519 is way larger than between Ed25519 and Ed448.
Show threadClemens1d ago

@ohir @filippo FN-DSA may be a solution for this class of devices.

(Or LMS and XMSS, although those two are such a big footgun nobody should be using them, *especially* not for signing — verification is OK.)

Show threadohir1d ago

@neverpanic @filippo
> LMS/XMSS
I'd bet only on something that will get the most attention of the cryptographers community. And certainly I am quite in shock having past gossips coming to the reality now.

If Ed448 is off, and larger NIST curves too, then small cpus over the slow links are toasted at least re authentication. Likely. We need to sit, think, cool down.

And I think that now the threat model assessment will be the most important part of the design procedures. Do we need secure against the gov/corporate adversary of a big country, or small one. Do breach afflict just one site or all users and so on.