IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Andrey Jivsov <crypto@brainhub.org> Tue, 07 December 2021 00:44 UTC

Return-Path: <andrey@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3BA03A0C9E for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 16:44:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8Pg-kGDQA5D for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 16:44:16 -0800 (PST)
Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E846D3A0C9F for <cfrg@irtf.org>; Mon, 6 Dec 2021 16:44:15 -0800 (PST)
Received: by mail-yb1-f178.google.com with SMTP id v64so36185393ybi.5 for <cfrg@irtf.org>; Mon, 06 Dec 2021 16:44:15 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=TEwfaEVZnU1ALUEZEDjaEN24yGgRXP62i5G3ydI27HQ=; b=i8TUpee4X4K22C8rnD+T3r1TifZavotOVWx9ysnMQhV6s8r73FUL56KpZ46TdHbDwl sWGdMsqvP8vMRqe3pRr/3+4JsIhgl+k/LtrGD+3Ny+hmBISwOajU58wuR21s0j/q/WuV 40L3cZK3loxnhqpPMbX8eGiOw3lux5axd3BGdNBvw3hOSOJ5F3muI59NK10KKCALFh6G zQWSDeH0qH8BPJzgUhO6SDSPMJYwUsZFUnkPmzVF1HFjbB/0OuJc0Cv2T+sKldlLC2N+ KOC1PpaNR/cGsiFd5vNGj3RXJrhqjHIAph7JxzM6U5Q7n4QhDvYjqkm9lfyGFjIxNkLo VZ6Q==
X-Gm-Message-State: AOAM532cbO0kimJRZ10Cic79rU2J5EPuhgtHTpTsBXRILX5LS3g6B3wP emYUQedkbZT6Q66ueOcimvPp99UhVKjee2JCx/4U1yRuPU8S1e4s
X-Google-Smtp-Source: ABdhPJzMaVS3SJ2MPO7WfWF842fH4P3Bt7Yx+QmgEDrsLR9AugRn0nRe6N/xrUr54LKo0704dqixoV0ULpJptOrA6H4=
X-Received: by 2002:a25:4d84:: with SMTP id a126mr47877035ybb.654.1638837854352; Mon, 06 Dec 2021 16:44:14 -0800 (PST)
MIME-Version: 1.0
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu>
In-Reply-To: <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu>
From: Andrey Jivsov <crypto@brainhub.org>
Date: Mon, 06 Dec 2021 16:44:03 -0800
Message-ID: <CAKUk3btLdy_udkz5Ti3-jQB24jPnYUEnuOWUduYaBnz8qcUciA@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000027522805d283ace4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0YDeYPVgt3IOAuWUJsuYGi1Rv2c>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 00:44:21 -0000

Firmware singing for long-lived systems, like chips used in cars, falls
under #2, yet the reasoning about relevance and time to worry is the same
as for #1. System built today may be broken 30 years from now, without
possibility to update them.

Fortunately, there is XMSS to solve this problem for firmware signing, and
XMSS should not need a hybrid scheme.

However, I generally support a hybrid scheme for cases like #1, at least as
a "paranoid security" option.

On Mon, Dec 6, 2021 at 4:27 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> CRQC (Crypto-Relevant Quantum Computer) is a threat in two ways:
> 1. Breaking your key exchange and decrypting your confidential information;
> 2. Forging your digital signature and/or authentication.
>
> For sensitive data, problem (1) is relevant now - because, as you said,
> ciphertexts could be recorded now and broken/decrypted decade(s) later,
> when CRQC is available. Hybrid won't help here (and those who don't expect
> CRQC to arrive, can stay with ECC).
>
> As to (2), it's unclear when we need to start worrying (though, probably,
> not now). Clearly, it's of no advantage to the adversary to forge my
> signature now on a TLS session established 10 years ago. It may well be a
> concern for legal documents - e.g., if somebody 10 years from now forges a
> signature on a mortgage - but I can't evaluate this risk, as I don't have
> enough understanding of the field.
>
> So, "quantum annoyance" is not an answer for me: for short-lived data, I
> don't care at all (for now) - and for long-lived (presumably important)
> data I can't rely on "well, they're busy cracking zillions of somebody
> else's data, and my data's turn may not even come".
> --
> Regards,
> Uri
>
> There are two ways to design a system. One is to make it so simple there
> are obviously no deficiencies.
> The other is to make it so complex there are no obvious deficiencies.
>
>                                                            -  C. A. R. Hoare
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email