IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 07 December 2021 15:44 UTC

Return-Path: <prvs=89753b2724=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9AE93A1704; Tue, 7 Dec 2021 07:44:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hc-u9ruAW-w1; Tue, 7 Dec 2021 07:44:18 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 595393A16EF; Tue, 7 Dec 2021 07:44:18 -0800 (PST)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1B7FiFEU409071 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 7 Dec 2021 10:44:15 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=bYBiFl3/r3fNWOOi63QNq4Q9m3Qp+o/YgwKYTeoswLxYYZxOkIoAYVaFu08XFB4VyDh7dPDxeUgBrCq0o9xFyMQXAfHVz7sCUAxSAMAL68xvR+qtRlqyWW0XtNfFC/VcS0hjXe/82U/VrnCzRzkCmk2+x3PsBydJtCZ5/EcG5K/9ITzueWspFV46QcH9rCQ2VuA9uGi6TpiNA5Tn96/kntebANrun0ML1zo2gWHD+2mqvBUN3X++BBZ5bnAiR20dBNs4rA9AE0rESo/Qt8GAPplLQj+oeqB8x1JRZELwv9LnKywOaUCCYDbRkkMy8MRkN2HJ1WJwW47lVERjM/Qjmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=h0e5M0GpfRrIIut29bVNYrXe3HZLFncYnEBad+wZST4=; b=iaNZ9kNb/Ff8D/+7q/I1pR7iNKbXYOQu/Lvr/BnSXEwWfSmTcn9+hD/1KmnX6e+M6Lu1JOatee/McHmiOC8VUXxFgceJSXUGz37qMd6pKZFlsQ/NZ9acT2gNuCi8/r7p5cLqLrvMuZAUAThb39YV4R6T+XmY2hh85gFriiT+ob2xQyqdPFsRXyqO2qQV2cBU2D8pqxKDz6hrto/WOBtauPQDbWgaML7+wg8C+7HM3bCCEooJXEcFlRPzNBMu6SGtkAWB1KXAv2UWpXKnN3depYcMPdx2GUJ9q9l4rZ6aFGTq1KUY8zncHtWTY6txS9PZPd7lSZVKYna/U3QoPIVcPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Brown <danibrown@blackberry.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX6XmzW9d+W2Z8cUihngZecK0bMawlll2AgAFFbQA=
Date: Tue, 07 Dec 2021 15:44:12 +0000
Message-ID: <DEFE3B2F-23E4-40B6-9791-AE0F05355CD9@ll.mit.edu>
References: <AB168E30-9398-426D-919A-8002110577F8@ll.mit.edu> <8223d944172648d38426533b0da11325@blackberry.com>
In-Reply-To: <8223d944172648d38426533b0da11325@blackberry.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 27fe8948-f0ba-450e-f623-08d9b9986b04
x-ms-traffictypediagnostic: CY1P110MB0487:
x-microsoft-antispam-prvs: <CY1P110MB0487DDC0946E7C30B17A7ADC906E9@CY1P110MB0487.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BXCQ6d6DUZarZqXvTCqqWEJFbQREUPRaEWuTDtUwMbZUDAS384tK0IfGqcvwUwVU1r0ThivIXFbtojhA9V8i9sf+UUdCAhftEVXk+W/ii0t/0XoIOYHjWcwXpdhM9wKNG0FFtsiYTjbP4E3RTjQJPOcLzuui8YG0Ok6ADWQ4SPr6NFqC4Rrc9boPWoIlNRpUjSum5i56mey8qgh6WZ9/waIXHP7AhAwGTrIpL+5d3P3ouDKBdwAl8Li3glddHRhVuYQ0Dluum2Q+011Zl+zBP1gjBhCJo/ItUDSUeI3GA0S38kbfXZIxEpiOuvq/WIq7gfvJ+n3kj6R0QD/IiKf/GmCUzKb1fHRfdLd4TSKnLp8MhG8AJybjzQ6VHlXAryXQhYh2iw7VUD+Ai55fUZKsNMIetMlQ7MzlEHw49lsQtSTqYLP04+FFc1Q1vAutXJEQrMrxAM5aOx6ONMUKsXKtl/dOOvuyxQ34+koeEaI7Bd6QbefBTxJtkjgBEgPhsrhSYLuqJ6KI6T+9WLAjazO8QlFl+GfNldbAXDL/9z08AmpfVUVGrlt1v7mkCLGnAHmYfTbb2LqaCDwPqcSl0IyI7Ve6h0Q3xpmZRqimNE0vsraUmI3R4Xq3u/lUwpt/5XBV9tFlHD3kjLt4fbv2L0dHAYJKPTbh5kp+0dWThMkAW30=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(33656002)(186003)(5660300002)(508600001)(6506007)(6512007)(38100700002)(2616005)(2906002)(122000001)(66476007)(316002)(86362001)(26005)(71200400001)(66574015)(8936002)(66556008)(99936003)(66946007)(66446008)(75432002)(76116006)(38070700005)(6486002)(8676002)(83380400001)(110136005)(64756008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: h5ECfEdQluYbo3mU8lDIb5EaCzeK4mxrMst6CoobOXEPDjTIgCaSmaNxVhOtT8DkSDPhkphLxPsBn+7syfTsXR/BbZmKSszCWP/Q2zYV32BSVei2pjaD2iWCqZBT09JmsrGRLR1nXsdYUCybk7EHDA==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3721718652_1067295577"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 27fe8948-f0ba-450e-f623-08d9b9986b04
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2021 15:44:13.0071 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0487
X-Proofpoint-ORIG-GUID: kMftaUby_-MrylZM__oxlqbRXVCSGWhE
X-Proofpoint-GUID: kMftaUby_-MrylZM__oxlqbRXVCSGWhE
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-07_03:2021-12-06, 2021-12-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxlogscore=682 mlxscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112070095
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3UH9XyVZN4MjgYRserPW6tmRHpA>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 15:44:24 -0000

>    Not offering hybrid, say NTRU & ECC, in the past put us in this pickle now of 
>    the quantum computer attack risk.

I disagree. 

Back then, similarly to here-and-now, cryptographers could not know whether there'd be a breakthrough in discrete log, or in factoring, or in both (or in SVP). So, a prudent (from your point of view) thing would've been to combine (all of them). Instead, they (correctly, IMHO) decided that it isn't worth doing - the low likelihood of such a breakthrough did not justify that. 

NTRU now has been studied for as long as RSA then, and other Lattice-based algorithms - for as long as ECC then.

I concede that there was almost no FUD back then, compared to now. 

>    Certainly, there are applications where the gains from hybrid are outweighed 
>    by the cost, but also applications where hybrid is worthwhile.
>
>    Hybrid ought to be option, or IETF WGs should use a cost-benefit analysis per 
>    application, the CFRG could help there.

How do you evaluate the benefit? "If algorithm X gets broken, with a probability I've no idea of..."?

>    (Generally, let's learn from our mistakes.

Given that we had no problem caused by "not combining algorithms" so far, I say the mistake is what we're trying to do now.

>    Besides, aren't some users 
>    naturally inclined to expect the Internet to maximally secure their data? ;)

:-) Cuique suum.

v2.23.0 | Report a Bug | By Email