IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Mike Hamburg <mike@shiftleft.org> Thu, 16 December 2021 17:02 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851F53A1239 for <cfrg@ietfa.amsl.com>; Thu, 16 Dec 2021 09:02:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fr79MWP3rBT for <cfrg@ietfa.amsl.com>; Thu, 16 Dec 2021 09:02:00 -0800 (PST)
Received: from wanderer.shiftleft.org (wanderer.shiftleft.org [45.79.68.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 547463A122E for <cfrg@irtf.org>; Thu, 16 Dec 2021 09:02:00 -0800 (PST)
Received: from smtpclient.apple (unknown [IPv6:2601:645:c380:1080:2d02:e2c2:33cc:abd5]) (Authenticated sender: mike) by wanderer.shiftleft.org (Postfix) with ESMTPSA id 9ED5A4189E; Thu, 16 Dec 2021 17:01:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1639674118; bh=WFQozprGaJKOOr+xbKL2VAXN/NWf/9F1fT5Gfe4IsWY=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=koqaldDn1q96tUk4PYdCF3JpBOrLCiTFexe7cUza5vko+Al54bMD4LUmikQQAs308 qrw1iUljOVwdeUEKpFP0D9+Tvc5yT+EDfaDeMMLAJ6p8LUL7qgqUTWOZHyp/W+bSsa YDVSAXxYyQcLeM2HbyzU5cxXz34UUjLBlltvNN0M=
From: Mike Hamburg <mike@shiftleft.org>
Message-Id: <CE910870-EB8D-4845-A42E-962950555EB2@shiftleft.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_584C3189-E0BB-478B-A3D7-71C40AA43506"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
Date: Thu, 16 Dec 2021 09:01:58 -0800
In-Reply-To: <CAMCcN7SnApLDOOVu440ghL8dg+L3C193SZzJd=U3t066x_1hZw@mail.gmail.com>
Cc: Natanael <natanael.l@gmail.com>, IRTF CFRG <cfrg@irtf.org>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
To: Marek Jankowski <mjankowski309@gmail.com>
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <E383D80F-D38C-4A6F-9DA6-1BABDA7D8FBF@ll.mit.edu> <BL3PR11MB5732461035F7173FED4A0F309F6E9@BL3PR11MB5732.namprd11.prod.outlook.com> <CAAt2M19XCwuF==rmprejs+5Se5DwGYb4QRifR+__vSNtS0gugg@mail.gmail.com> <CAMCcN7SnApLDOOVu440ghL8dg+L3C193SZzJd=U3t066x_1hZw@mail.gmail.com>
X-Mailer: Apple Mail (2.3693.40.0.1.81)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6D2xKi5hyF9B0l-OHc1DJMJYXDQ>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2021 17:02:07 -0000

Hi all,

Here are my two cents on this issue.

Hybrid cryptosystems would give a modest reduction in the risk of mathematical breakthrough, and on its own I’m not sure whether that’s worth the increased risk of implementation errors.

However, PQ systems will take a while to be implemented and validated on HSMs, and it will take a while to have well-tested defenses against side channel and fault attacks.  So if someone needs these features today, they will have trouble migrating to a postquantum system.  But they might be able to migrate to a hybrid system with the classical part running in the HSM or in a side-channel-protected way, if this can be done in a way that’s at least as secure as the classical system.

I don’t know if that’s a controlling consideration, but we should at least consider it.

Regards,
— Mike

> On Dec 16, 2021, at 7:47 AM, Marek Jankowski <mjankowski309@gmail.com> wrote:
> 
> I would like to share my opinion regarding the thesis presented bellow, as I think it neglects a major issue which must be taken into account.
> 
> On Thu, Dec 2, 2021 at 5:45 PM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
> 1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
> 2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless. 
> 3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
> 4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms broken - Hybrid useless. 
> 5. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
> 6. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms broken - Hybrid helps. 
> 7. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
> 8. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms broken - Hybrid is useless. 
> 
> The most relevant period to consider is between the emerging of PQC standards and the arrival of CRQC.
> According to most estimations, this period will be the next 10-20 years (see Michele Mosca's post here https://open-ecosystem.org/articles/whats-your-risk-quantum-computers <https://open-ecosystem.org/articles/whats-your-risk-quantum-computers>).
> The above analysis considers only two cases: CRQC will arrive "in the near future" and CRQC will never arrive. This approach neglects the importance of safe and trusted cryptography in this interim period (which is also the migration period).
> 
> In this period, those are the possibilities for hybrid usefulness:
> 1. Classic holds (against classic attacks), PQ holds - Hybrid isn't useful.
> 2. Classic holds, PQ breaks - Hybrid helps.
> 3. Classic breaks, PQ holds - Hybrid isn't useful.
> 4. Classic breaks, PQ breaks - Hybrid isn't useful.
> 
> Those possibilities aren't equally likely. Specifically, a classical attack against current classical ciphers seems highly improbable. This means that 3 and 4 are unlikely and shouldn't be meaningfully taken into account.
> In this case, 2 is not an unreasonable outcome, which leaves hybridization in an important position.
> 
> On Tue, Dec 7, 2021 at 3:01 AM Natanael <natanael.l@gmail.com <mailto:natanael.l@gmail.com>> wrote:
> PQ algorithms can break in that 1) they get reduced to classical quantum weak security, in which case hybrid won't help but where they still  resist classical adversaries.
> 
> And 2) they can also break to even classical adversaries, in which case hybrid does help because it's much less likely that the more well established algorithms simultaneously break to classical adversaries. 
> 
> I think that this is a valid point as well. Even if 2 happens in a world with CRQC, it leaves us open to quantum adversaries only. Not the best scenario, but better than being vulnerable to every cyber-criminal out there.
> 
> Regards,
> Marek
> 
> 
> 
> On Tue, Dec 7, 2021 at 3:01 AM Natanael <natanael.l@gmail.com <mailto:natanael.l@gmail.com>> wrote:
> 
> 
> Den tis 7 dec. 2021 02:21Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:40entrust.com@dmarc.ietf.org>> skrev:
> I don't think the " PQ algorithms do not hold" case is as absolute as you're claiming:
> 
> 
> In cold storage encryption or any kind of public trust signature scenario (ie places where record-now-crack-later doesn't apply):
> 1) Implementation bugs in either traditional or PQC: hybrid makes these not-immediately-fatal and buys you time to patch and potentially re-protect existing data. (applies to both pre- and post-CRQC scenarios thanks to "quantum annoyance").
> 
> 
> In all scenarios:
> 2) Hybrid (esp. with 3+ algs) allows you to combine multiple PQC algs, spreading out your risk.
> 
> And my own main argument, rephrased in the list condensed form;
> 
> Most people worry about non quantum adversaries, some worry about both quantum and non quantum adversaries. 
> 
> PQ algorithms can break in that 1) they get reduced to classical quantum weak security, in which case hybrid won't help but where they still resist classical adversaries.
> 
> And 2) they can also break to even classical adversaries, in which case hybrid does help because it's much less likely that the more well established algorithms simultaneously break to classical adversaries. 
> 
> As mentioned before #2 has already been observed. I anticipate to see it happen again. Just because we failed to prevent a quantum attacker it doesn't mean all is lost, because most relevant adversaries for most people are still only classical adversaries. In addition hybrid under #2 raises the cost of performing the attacks. 
> 
> As for previous questions from earlier messages on the topic, we did not use hybrid between RSA and ECC because ECC took so long to deploy that by the time it was ready for use it was fairly widely trusted already. In addition, it's fairly meaningless to deploy hybrid between algorithms with fundamentally equivalent hardness assumptions and shared attacks. Hybrid is most useful when the risks are different in between the algorithms of choice. 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org <mailto:CFRG@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email