IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid

Christopher Peikert <christopher.peikert@algorand.com> Thu, 09 December 2021 14:47 UTC

Return-Path: <christopher.peikert@algorand.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E413C3A0D37 for <cfrg@ietfa.amsl.com>; Thu, 9 Dec 2021 06:47:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algorand.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jubv1roA5pWl for <cfrg@ietfa.amsl.com>; Thu, 9 Dec 2021 06:46:56 -0800 (PST)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28C913A0D34 for <cfrg@irtf.org>; Thu, 9 Dec 2021 06:46:56 -0800 (PST)
Received: by mail-yb1-xb31.google.com with SMTP id d10so14238337ybe.3 for <cfrg@irtf.org>; Thu, 09 Dec 2021 06:46:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algorand.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w0aHLjbBNwMP1P6w53CbG0wo880zhuPHrmVZRNiFm7I=; b=Pb1AlYM4BcCa11ZzcxllzFM1GdereFPqOVZ48FNRQ5Rp1EmXY1OWAprpB2CbOSFPJh C4cXd9UmV5q4ojp51MC66fjE87g8Ni8p80POohWN/60SN2PvM1/SoKhzRG6KDA/ezPJD d0mh0e+MOdtsmxil/k0ypCKEnIdYX8czkhkjFQZHATm3fwWyufbXmY9wZOQyMeQSLuTi YXJ2vEHZ7ISiwC6ookmDodf5VGCghebz0AA5JGYmCj13S0wHsiolgUBCxSqubx5dZ4KL T+MriF1KXVNwKWW93CegGENkueEyosJOVB0/+oKHQ5huHwA+hJStot/zWYTc2yg2rQNb XVIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w0aHLjbBNwMP1P6w53CbG0wo880zhuPHrmVZRNiFm7I=; b=QT1sQRommT35jX8M6ufh8B0dw1jfiBcU9vmyeId6U/BzHDnNOADIb7L/UkqQQThnmE b/Bx+mwRdBl6vbrB9U+8thR6QwIJh9N/k4v/iiYA4aDFqv2/RXuCjb+mNGsPBSgIKkJo mi0q2sRjfk6lcH6rph+ov3azN++81diRcuDJmcG8C+1eczFWe1bAXSzwFT8fJtYoMyMN wrT/iVdZGEyb2sJYj32nU2QdvhfagNaAxHfy+SyOGUZURJTiPT6loowh/Dalm8bybLy7 7eZ6zbjFFKxXvu5GXAXsD6o05E6NsNlmreuS5KvIQ/Igs5JI1ZT2TTOVKWsAFLcMzP7H jirw==
X-Gm-Message-State: AOAM532fPs7rm1NB4c/pY70xsJwRqnh1CdkQreHV11i6FNC2r4EEnwUq u94F98QnJWzzx7vxWV2OakcJj5Fst3FXrGoR4CGylA==
X-Google-Smtp-Source: ABdhPJzG7Aq266UhiGdZHLItAH6GbMJVNCBvD4WZskyxcOCOjVuYBLguC2Kr+RFA4H49cQzoCS2ojgxo/jVSrL3lgFM=
X-Received: by 2002:a05:6902:120a:: with SMTP id s10mr7356398ybu.265.1639061212713; Thu, 09 Dec 2021 06:46:52 -0800 (PST)
MIME-Version: 1.0
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <CAOp4FwQTyYGWLRoMYA_+kaGAzGjTb1Z=6kcQfGkmrw_7oEHqhQ@mail.gmail.com> <2213E164-231B-4D95-9CEE-5808E5EE8034@interlog.com> <BL3PR11MB57323BB269FE39E9BB19BC029F6F9@BL3PR11MB5732.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB57323BB269FE39E9BB19BC029F6F9@BL3PR11MB5732.namprd11.prod.outlook.com>
From: Christopher Peikert <christopher.peikert@algorand.com>
Date: Thu, 09 Dec 2021 09:46:41 -0500
Message-ID: <CAJ9Arpgo0TEo8Fc2oqqt2-7fe29_O5OeH3W5+uPXXpa7yog-8A@mail.gmail.com>
To: mike.ounsworth=40entrust.com@dmarc.ietf.org
Cc: Richard Outerbridge <outer@interlog.com>, Loganaden Velvindron <loganaden@gmail.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000005969fc05d2b7adee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/65tMs1qFiI2xB9Y0ZGBgdSmwV1Y>
Subject: Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 14:47:01 -0000

On Wed, Dec 8, 2021 at 6:43 PM Mike Ounsworth <Mike.Ounsworth=
40entrust.com@dmarc.ietf.org> wrote:

> > As has been noted, so has NTRU gone through a good amount of review,
> even more perhaps than Rinjdael by this point in the competition for AES.
>
> I'm probably gonna embarrass myself, but here goes ... The argument that
> I've heard made is that there's a quantum leap (pun intended) between the
> complexity of the mathematics of RSA/ECC and NTRU. You can mostly wrap your
> brain around RSA if your highschool teaches modular arithmetic, and the
> attacks if you take 2nd year uni group theory. ECC also 2nd year group
> theory. Lattices, LWE, R-LWE, and especially module-LWE are this esoteric
> combination of rings, fields, and linear algebra that requires a very
> specific trajectory of graduate studies (likely over-simplified, apologies
> in advance).
>

It's unfortunate that people have this impression, because it's not true at
all.

Understanding NTRU or (even easier) R-LWE encryption requires just basic
polynomial arithmetic. They can be taught in about an hour to early
undergraduates, or even talented high schoolers (I've handled both).

Understanding ECC seems at least as difficult: one needs the curve equation
and its solutions, the group operation (how points are "added"), the
repeated-doubling algorithm, and Diffie-Hellman-style agreement. This isn't
super-advanced stuff, but it probably takes a couple of hours to convey a
thorough understanding to someone who already knows modular arithmetic.

Comprehending the best *attacks* is an entirely different matter, but
that's true for all of RSA, ECC, and lattices. How many people are experts
in the Number Field Sieve factoring algorithm -- the best attack on RSA?
This is not undergrad-level stuff, by any means. Nor are the best attacks
on lattices, though many experts have been working on them for decades.

No matter the area, the best attacks turn out to be a lot more complicated
than the cryptosystems themselves. But you don't need to understand the
attacks to understand how the schemes work, nor why they appear to be
secure.

Sincerely yours in cryptography,
Chris

v2.23.0 | Report a Bug | By Email