Re: [CFRG] NSA vs. hybrid
Andrey Jivsov <crypto@brainhub.org> Tue, 07 December 2021 00:44 UTC
Return-Path: <andrey@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3BA03A0C9E for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 16:44:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8Pg-kGDQA5D for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 16:44:16 -0800 (PST)
Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E846D3A0C9F for <cfrg@irtf.org>; Mon, 6 Dec 2021 16:44:15 -0800 (PST)
Received: by mail-yb1-f178.google.com with SMTP id v64so36185393ybi.5 for <cfrg@irtf.org>; Mon, 06 Dec 2021 16:44:15 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=TEwfaEVZnU1ALUEZEDjaEN24yGgRXP62i5G3ydI27HQ=; b=i8TUpee4X4K22C8rnD+T3r1TifZavotOVWx9ysnMQhV6s8r73FUL56KpZ46TdHbDwl sWGdMsqvP8vMRqe3pRr/3+4JsIhgl+k/LtrGD+3Ny+hmBISwOajU58wuR21s0j/q/WuV 40L3cZK3loxnhqpPMbX8eGiOw3lux5axd3BGdNBvw3hOSOJ5F3muI59NK10KKCALFh6G zQWSDeH0qH8BPJzgUhO6SDSPMJYwUsZFUnkPmzVF1HFjbB/0OuJc0Cv2T+sKldlLC2N+ KOC1PpaNR/cGsiFd5vNGj3RXJrhqjHIAph7JxzM6U5Q7n4QhDvYjqkm9lfyGFjIxNkLo VZ6Q==
X-Gm-Message-State: AOAM532cbO0kimJRZ10Cic79rU2J5EPuhgtHTpTsBXRILX5LS3g6B3wP emYUQedkbZT6Q66ueOcimvPp99UhVKjee2JCx/4U1yRuPU8S1e4s
X-Google-Smtp-Source: ABdhPJzMaVS3SJ2MPO7WfWF842fH4P3Bt7Yx+QmgEDrsLR9AugRn0nRe6N/xrUr54LKo0704dqixoV0ULpJptOrA6H4=
X-Received: by 2002:a25:4d84:: with SMTP id a126mr47877035ybb.654.1638837854352; Mon, 06 Dec 2021 16:44:14 -0800 (PST)
MIME-Version: 1.0
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu>
In-Reply-To: <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu>
From: Andrey Jivsov <crypto@brainhub.org>
Date: Mon, 06 Dec 2021 16:44:03 -0800
Message-ID: <CAKUk3btLdy_udkz5Ti3-jQB24jPnYUEnuOWUduYaBnz8qcUciA@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000027522805d283ace4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0YDeYPVgt3IOAuWUJsuYGi1Rv2c>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 00:44:21 -0000
Firmware singing for long-lived systems, like chips used in cars, falls under #2, yet the reasoning about relevance and time to worry is the same as for #1. System built today may be broken 30 years from now, without possibility to update them. Fortunately, there is XMSS to solve this problem for firmware signing, and XMSS should not need a hybrid scheme. However, I generally support a hybrid scheme for cases like #1, at least as a "paranoid security" option. On Mon, Dec 6, 2021 at 4:27 PM Blumenthal, Uri - 0553 - MITLL < uri@ll.mit.edu> wrote: > CRQC (Crypto-Relevant Quantum Computer) is a threat in two ways: > 1. Breaking your key exchange and decrypting your confidential information; > 2. Forging your digital signature and/or authentication. > > For sensitive data, problem (1) is relevant now - because, as you said, > ciphertexts could be recorded now and broken/decrypted decade(s) later, > when CRQC is available. Hybrid won't help here (and those who don't expect > CRQC to arrive, can stay with ECC). > > As to (2), it's unclear when we need to start worrying (though, probably, > not now). Clearly, it's of no advantage to the adversary to forge my > signature now on a TLS session established 10 years ago. It may well be a > concern for legal documents - e.g., if somebody 10 years from now forges a > signature on a mortgage - but I can't evaluate this risk, as I don't have > enough understanding of the field. > > So, "quantum annoyance" is not an answer for me: for short-lived data, I > don't care at all (for now) - and for long-lived (presumably important) > data I can't rely on "well, they're busy cracking zillions of somebody > else's data, and my data's turn may not even come". > -- > Regards, > Uri > > There are two ways to design a system. One is to make it so simple there > are obviously no deficiencies. > The other is to make it so complex there are no obvious deficiencies. > > - C. A. R. Hoare > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase