Skip to content

Commit

Permalink
README: note about NIST ban of ECC in 2035
Browse files Browse the repository at this point in the history
  • Loading branch information
paulmillr committed Nov 19, 2024
1 parent f3580af commit f1e8637
Showing 1 changed file with 13 additions and 8 deletions.
21 changes: 13 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@ Auditable & minimal JS implementation of public-key post-quantum cryptography.
- 🐈 SLH-DSA & SPHINCS+: hash-based signatures from FIPS-205
- 🪶 77KB (15KB gzipped) for everything with hashes

> [!IMPORTANT]
> NIST published [IR 8547](https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf),
> in which they want to prohibit classical, non post-quantum cryptography after 2035.
> Take it into an account while designing a new cryptographic system.
Take a glance at [GitHub Discussions](https://github.com/paulmillr/noble-post-quantum/discussions) for questions and support.

### This library belongs to _noble_ cryptography
Expand Down Expand Up @@ -98,7 +103,7 @@ There are some concerns with regards to security: see
[mailing list](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E).
Old, incompatible version (Kyber) is not provided. Open an issue if you need it.

> [!WARNING]
> [!WARNING]
> Unlike ECDH, KEM doesn't verify whether it was "Bob" who've sent the ciphertext.
> Instead of throwing an error when the ciphertext is encrypted by a different pubkey,
> `decapsulate` will simply return a different shared secret.
Expand Down Expand Up @@ -142,7 +147,7 @@ Hash-based digital signature algorithm, defined in [FIPS-205](https://nvlpubs.ni
See [website](https://sphincs.org) and [repo](https://github.com/sphincs/sphincsplus).
We implement spec v3.1 with FIPS adjustments. Some wasm libraries use older specs.

> [!NOTE]
> [!NOTE]
> SLH-DSA is slow: see benchmarks below
### What should I use?
Expand Down Expand Up @@ -178,12 +183,12 @@ If you see anything unusual: investigate and report.
Noble is the fastest JS implementation of post-quantum algorithms.
WASM libraries can be faster.

| OPs/sec | Keygen | Signing | Verification | Shared secret |
| ------------ | ------ | ------- | ------------ | ------------- |
| ECC ed25519 | 10270 | 5110 | 1050 | 1470 |
| ML-KEM-768 | 2300 | | | 2000 |
| ML-DSA44 | 670 | 120 | 620 | |
| SLH-DSA-SHA2-128f | 250 | 10 | 167 | |
| OPs/sec | Keygen | Signing | Verification | Shared secret |
| ----------------- | ------ | ------- | ------------ | ------------- |
| ECC ed25519 | 10270 | 5110 | 1050 | 1470 |
| ML-KEM-768 | 2300 | | | 2000 |
| ML-DSA44 | 670 | 120 | 620 | |
| SLH-DSA-SHA2-128f | 250 | 10 | 167 | |

For SLH-DSA, SHAKE slows everything down 8x, and -s versions do another 20-50x slowdown.

Expand Down

0 comments on commit f1e8637

Please sign in to comment.