Comment from Neil Madden After Round 4 announcement (Round 5 now ?)
Loganaden Velvindron
In case you aren't on the IETF CRFG:
"Thanks for posting this. It is a shame that Classic McEliece wasn’t
selected, as it seems eminently suitable for SAML/OIDC and other
SSO/Federation use cases where keys are often established out of band
and changed rarely. The NIST report dismisses Classic McEliece for
this use case (page 7):
"The study on the performance of post-quantum XML encryption and SAML SSO
[21] contains data that compare BIKE and Classic McEliece in those
protocols. For hybrid
XML encryption, Classic McEliece slightly outperforms BIKE in
decryption time and total
time but results in much larger data sizes. When used for SAML SSO,
BIKE generally out-
performs Classic McEliece in time and produces much smaller bandwidths."
But the referenced paper
(https://petsymposium.org/popets/2024/popets-2024-0128.pdf) actually
says (section 6.1):
"The total size of Classic McEliece XML ciphertexts is several
orders of magnitude larger than the others. However, it has the
smallest (non-XML) ciphertexts of all post-quantum KEMs and
also of RSA (see Table 8). The reason for this difference is that
XML ciphertexts also contain the public keys, and Classic McEliece
has large public keys. Therefore, if we removed the public key
from the KeyInfo element, Classic McEliece would be the most
bandwidth-efficient XML public encryption algorithm”
The KeyInfo is entirely optional in SAML
(https://www.w3.org/TR/xmlenc-core/#sec-Extensions-to-KeyInfo) and
including the public key in it makes no sense at all.
— Neil"
Could there be a round 5 for those specific use-cases ?
Daniel Apon
While I admit that some gray hairs are regularly popping up in my majestic beard these days, I still feel young.
In the past week, I upgraded my personal computer's GeForce GTX 1080 to a GeForce RTX 3080, and not only is my cryptographer better off (not the constraining factor), most of my computer science life is.
John Mattsson
I strongly agree with Neil, I think the small ciphertext of Classic McEliece makes it eminently suitable for a lot of use cases.
It would have been good if Neil (and others) provided these comments during the NIST process, and not 5 min after NIST announced that they will not standardize Classic McEliece...
I did my part... :)
https://csrc.nist.gov/csrc/media/Presentations/2025/ml-kem-is-great/images-media/ml-kem-is-great.pdf
Cheers,
John
From:
pqc-...@list.nist.gov <pqc-...@list.nist.gov> on behalf of Loganaden Velvindron <loga...@gmail.com>
Date: Tuesday, 11 March 2025 at 18:16
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Comment from Neil Madden After Round 4 announcement (Round 5 now ?)
Hi All,
In case you aren't on the IETF CRFG:
"Thanks for posting this. It is a shame that Classic McEliece wasn’t
selected, as it seems eminently suitable for SAML/OIDC and other
SSO/Federation use cases where keys are often established out of band
and changed rarely. The NIST report dismisses Classic McEliece for
this use case (page 7):
"The study on the performance of post-quantum XML encryption and SAML SSO
[21] contains data that compare BIKE and Classic McEliece in those
protocols. For hybrid
XML encryption, Classic McEliece slightly outperforms BIKE in
decryption time and total
time but results in much larger data sizes. When used for SAML SSO,
BIKE generally out-
performs Classic McEliece in time and produces much smaller bandwidths."
But the referenced paper
says (section 6.1):
"The total size of Classic McEliece XML ciphertexts is several
orders of magnitude larger than the others. However, it has the
smallest (non-XML) ciphertexts of all post-quantum KEMs and
also of RSA (see Table 8). The reason for this difference is that
XML ciphertexts also contain the public keys, and Classic McEliece
has large public keys. Therefore, if we removed the public key
from the KeyInfo element, Classic McEliece would be the most
bandwidth-efficient XML public encryption algorithm”
The KeyInfo is entirely optional in SAML
including the public key in it makes no sense at all.
— Neil"
Could there be a round 5 for those specific use-cases ?
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-forum%2FCAOp4FwSCaJL-4%253DVS8Ybt3a%252BPffmbxi6XN-b7ZiCLu%252Ba2ZXG2rQ%2540mail.gmail.com&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cf302c3c0568b4ae693bc08dd60c07b30%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638773102119713898%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=zoGdXhfg5ml1miEaeyGwCSbyA2q0gotzWIepRPz5TWk%3D&reserved=0.