|
|
Subscribe / Log in / New account

This post-quantum crypto thing is ridiculous.

This post-quantum crypto thing is ridiculous.

Posted Oct 8, 2025 22:26 UTC (Wed) by mirabilos (subscriber, #84359)
In reply to: This post-quantum crypto thing is ridiculous. by cypherpunks2
Parent article: OpenSSH 10.1 released

I was considering that at some point they’ll need to decide what to keep on storage, as growth is not endless.

> The increase in computation required for ML-KEM is negligible.

Hmm. I’ll have to port this to my 486 and SPARCstations and see. If it indeed is, this may work. (Likely will still have to rip out the DJB-derived 25519 code and replace with a properly licenced version, but.)

to post comments

This post-quantum crypto thing is ridiculous.

Posted Oct 8, 2025 23:22 UTC (Wed) by cypherpunks2 (guest, #152408) [Link]

> I was considering that at some point they’ll need to decide what to keep on storage, as growth is not endless.

If they start getting severe budget cuts, I'm sure they'd be happy with just capturing the key exchange and then one out of every N packets from that session, or using timing analysis to discard the majority of unnecessary traffic (heavy web resources, video streaming, etc). That would be enough to drastically limit storage space while still preserving a significant amount of information.

> Hmm. I’ll have to port this to my 486 and SPARCstations and see.

The majority of the computational cost for ML-KEM is in the use of Keccak in the form of SHAKE as a hash function and XOF. The overhead from actual lattice cryptography is almost negligible. I highly doubt Keccak is going to be efficient on a 486 or anything of that era. The lack of SIMD means that it will struggle. Any modern computer with SIMD will not see a prohibitive increase in computational cost when switching to something like mlkem768x25519.

Keccak is optimized to be exceptionally efficient in a raw hardware implementation such as a future SHA-3 instruction set, but most users of ML-KEM are not going to be using ancient hardware. There's also a Kyber-90s variant which uses SHA-2 and AES instead of SHAKE, which offloads the majority of computations to dedicated instructions from SHA-NI and AES-NI, neither of which are supported by the 486 or SPARCstation.

This post-quantum crypto thing is ridiculous.

Posted Oct 11, 2025 5:12 UTC (Sat) by djm (subscriber, #11651) [Link] (2 responses)

> Hmm. I’ll have to port this to my 486 and SPARCstations and see.

Those old computers used to run 4096 bit Diffie-Hellman just fine. Hybrid ML-KEM768/X25519 is several times faster.

This post-quantum crypto thing is ridiculous.

Posted Oct 13, 2025 8:00 UTC (Mon) by cypherpunks2 (guest, #152408) [Link] (1 responses)

Nothing that old would be able to handle 4096 bit FFDH very well. I had an old web server (AMD Athelon which is orders of magnitude faster than a 486) with a 3072 bit modulus and had to downgrade to 2048 bit because the key exchange was saturating the CPU and becoming the bottleneck. Eventually I switched to Secp256r1 ECDH and that problem went away completely.

This post-quantum crypto thing is ridiculous.

Posted Oct 13, 2025 18:36 UTC (Mon) by mirabilos (subscriber, #84359) [Link]

Yes, SSH’ing to my P233MMX takes a few seconds, the 486 is only a client, the SPARCs have ControlPath enabled.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds