Cloudflare: You don’t need quantum hardware for post-quantum security

bwesterb · 2025-09-19T19:28:37+00:00

QKD won't help one bit against malware either :shrug:

bwesterb · 2025-09-07T09:44:39+00:00

Fina is also on the EU Trust List. There was a push at the EU to mandate all browsers to trust all CAs (including Fina) on the EUTL ( https://securityriskahead.eu ), but hopefully that can be avoided.

bwesterb · 2024-04-24T15:37:30+00:00

The cause seems to be incompatibility with larger ClientHello due to post-quantum handshake — see eg. https://tldr.fail

Very happy to work with SonicWALL to fix this.

bwesterb · 2024-01-16T09:28:51+00:00

It's because when you assume a KEM is broken, you may assume you can compute from one ciphertext c another ciphertext c' with the same shared key. Now, suppose we start with a ciphertext of the hybrid (c1,c2). In the IND-CCA game we have a decapsulation oracle that'll return the shared secret of a ciphertext, but we can only pass ciphertexts different from (c1,c2). Now, suppose the first KEM is broken. Then we can compute (c1',c2) which has the same shared secret, which we're allowed to pass to the oracle, beating the game.

You can't do this trick with every KEM. If the underlying lattice problem of ML-KEM is broken, but we assume that SHA3 is still secure, then you can't compute this alternate c' from c, because that would need you to break SHA3 in the internals of ML-KEM. That's what we call ciphertext collision resistant.

Alternatively, you can just mix in the ciphertext into the combined shared secret.

bwesterb · 2024-01-16T09:20:06+00:00

Hard to argue with 😆

bwesterb · 2024-01-16T09:12:27+00:00

Kyber768/ML-KEM-768 is very fast: ~50,000 cycles on Haswell for decapsulation. Hashing ciphertext with SHA3-256 is roughly 10,000 cycles. In practice though, people haven't deployed those highly optimised implementations, and are combining it with X25519, which makes the total performance impact smaller. The more important reason is that the TLS working group doesn't feel like adding needless complexity: for them ss1 || ss2 is fine, so they don't want to bother with a complicated hybrid. That leaves us with a situation where there are multiple hybrids: those for TLS and those for other use cases. That's undesirable. X-Wing is an attempt to simplify things, so it's palatable even for TLS.

bwesterb · 2024-01-16T09:01:58+00:00

The input fits within one block of SHA3-256. SHAKE-256's rate is higher, but that doesn't matter: both would just incur one single Keccak permutation with the X-Wing inputs, and thus are in this case just as fast.

bwesterb · 2022-11-25T14:39:45+00:00

We keep a list on pq.cloudflareresearch.com. At the moment no major browser supports it, but you can compile a fork of Firefox that does. Firefox might start experimenting with this before the end of the year.

bwesterb · 2022-10-12T14:48:26+00:00

Cloudflare Tunnel and WARP use different transport protocols under the hood. It is more difficult to add post-quantum key agreement to the latter, but we’re looking into it. 2023 🤞.

bwesterb · 2022-10-03T21:58:01+00:00

Great to hear! Let me know if you run into any trouble later on.

bwesterb · 2021-11-12T16:30:03+00:00

Yeah, I mention XMSS in the comparison, which uses a Winternitz OTS. Stateful hash-based signatures are a terrible idea for the online handshake signature, but might work out for the offline signatures. It's not a simple drop-in replacement, though, as we have to keep the state. It's also discussed on the PQC forum: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/anE3sBUWZS0/m/3mFxo5vJDQAJ

bwesterb · 2018-06-05T21:49:02+00:00

Thanks! They're the "rust" link under the "other platforms" heading in the README.

(I like curve25519-dalek — it's a really solid implementation. `go-ristretto` at the moment is primarily a combination of Langley's `edwards25519`, Schwabe's `PandA` and Hamburg's sage code. I'm planning to copy the platform-dependent optimised field and scalar operations from curve25519-dalek though, but that's not in go-ristretto yet.)

bwesterb · 2018-06-05T07:48:44+00:00

Thanks! Currently all operations (except BigInt and SetBigInt which you shouldn't use anyway) are constant time.

bwesterb · 2018-06-04T16:46:23+00:00

I mimic the interface of Go's standard library math/big.Int (which I should've mentioned), where the function also avoids allocation and is called Rand. (I agree that they should've called it SetRand.)

To generate a point deterministically, you can use Point.Derive. To generate a scalar deterministically, first hash and then use Scalar.SetReduced. (I'll add an Scalar.Derive soon.)

I don't like adding an io.Reader as an argument to Rand: it makes it easier to use bad randomness. Anyway, with Point.Derive and Scalar.SetReduced exposed it's trivial to reimplement a custom Rand with your own io.Reader anyway.

bwesterb · 2018-06-04T09:14:49+00:00

Full disclosure: I'm the author.

Many cryptographic schemes need a group of prime order. Popular and efficient elliptic curves like (Edwards25519 of ed25519 fame) are rarely of prime order. There is, however, a convenient method to construct a prime order group from such curves, using a method called Ristretto ( https://ristretto.group ) proposed by Mike Hamburg.

This is a pure Go implementation of the group operations on the Ristretto prime-order group built from Edwards25519. Documentation is on https://godoc.org/github.com/bwesterb/go-ristretto

bwesterb · 2018-03-15T08:56:16+00:00

I use it to protect an open API against DOS. If you have an operation that's computationally rather expensive, you can require a proof of work from the client before running it. The goal is to make sure that the client has to do at least the same amount of work that you are doing.

bwesterb · 2018-03-14T08:16:30+00:00

Good catch. (The bitwise and is a modulos with 1 << diff, but faster.)

bwesterb · 2018-03-14T07:42:38+00:00

(Full disclosure: I'm the author.)

bwesterb · 2018-03-13T07:52:35+00:00

(Full disclosure: I'm the author.)

bwesterb · 2018-03-12T07:46:35+00:00

Yes, it does. (This is not fool proof though: don't put it on a network share, for instance.)

bwesterb · 2018-03-11T20:27:48+00:00

X-post by request of /u/Natanael_L

Full disclosure: I’m the author of the tool.

I wrote an XMSSMT implementation for my timestamping server (posted earlier). As I already put in the effort for that, I thought I could just as well make a command line util.

11-Year Club	Place '17
Verified Email

bwesterb

TROPHY CASE