IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 03 April 2019 14:54 UTC

Return-Path: <prvs=99962782d7=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34FDB1200F9 for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 07:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOtCwwOLRD7c for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 07:54:25 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) by ietfa.amsl.com (Postfix) with ESMTP id A60CC12008D for <cfrg@irtf.org>; Wed, 3 Apr 2019 07:54:25 -0700 (PDT)
Received: from LLE2K16-MBX03.mitll.ad.local (LLE2K16-MBX03.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTP id x33EsNIj014757; Wed, 3 Apr 2019 10:54:23 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Watson Ladd <watsonbladd@gmail.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Thread-Index: AQHU2YhP7WSRj7kLJk6h4vQXxVMdaKYLg1EAgAA63ACABtxrAIACXiwAgAwGegCAAD6YAP//creAgADJWQCAAabZAP//zcOAgAUTdQCAAARKgIAAL2WAgAA7tAD///TJgAAMNauAABNvM4AAEYK3AAAYK7WAAAb1uwAAADn4gA==
Date: Wed, 03 Apr 2019 14:54:22 +0000
Message-ID: <05E673A9-7CC0-47C9-9EDD-B56FE89246EC@ll.mit.edu>
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net> <B79CBA86-3C81-4973-84C2-7DAD7B659CB4@ericsson.com> <CADPMZDCHgsP6=ssJymeoq7RP1eshWf4zk+N9Cf1DY-fk+ntCgA@mail.gmail.com> <1554167337418.62603@cs.auckland.ac.nz> <1A5915E5-E50A-426E-B8F5-6CCCA47AB392@ll.mit.edu> <1554185903715.11087@cs.auckland.ac.nz> <86950110-c278-31d2-ae3e-a2485d0243ed@web.de> <1554249372811.54517@cs.auckland.ac.nz> <CAND9ES1a8SrTuk+8yDJQMOUfGRyY+VNbPGM6m1NFo0v2m9oavw@mail.gmail.com> <CACsn0ck5_HgQ+esaNYUk3h0oghBEqxizR3kV9bHOfVSoWuvS+w@mail.gmail.com>
In-Reply-To: <CACsn0ck5_HgQ+esaNYUk3h0oghBEqxizR3kV9bHOfVSoWuvS+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
Content-Type: multipart/signed; boundary="Apple-Mail-0D29825F-9618-4F29-B231-50474FBBD1AD"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-03_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904030101
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8qs7LMWjSUus7d_2ms63QaPpDLc>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 14:54:28 -0000

In short, the problem is that one group of people accepts the risks for another group of people. 

As one of back officials said in a private discussion: "Your risk is always lower than our cost."

Regards,
Uri

Sent from my iPhone

> On Apr 3, 2019, at 10:48, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
>> On Wed, Apr 3, 2019 at 4:29 AM William Whyte <wwhyte@onboardsecurity.com> wrote:
>> 
>> Hi Peter,
>> 
>>>> Another thing about PQC is that all of this is entirely new crypto that we
>> have no experience in using.  We've had decades of experience with using
>> PreQC, and have mostly managed to get it right (a lot of the attacks being
>> performed were known about years ago but were ignored until someone published
>> an attack paper with accompanying tools and newsworthy name, and even then
>> there's a huge amount of code in PreQC crypto designed specifically to prevent
>> entire classes of attacks), while we have zero experience with using PQC.
>> 
>> This is an argument for being cautious about deploying PQC. It's not an argument
>> that it's a good idea to develop new PreQC primitives. If anything, it's an argument
>> against that.
> 
> There are protocols that only work with new primitives. Some people
> are willing to accept the risk.
> What's the problem?
> 
>> 
>> Cheers,
>> 
>> William
>> 
>> 
>>> On Tue, Apr 2, 2019 at 7:57 PM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>> 
>>> Björn Haase <bjoern.m.haase@web.de> writes:
>>> 
>>>> We know that the cost of conventional attacks is low and many applications
>>>> are actually "worth" the effort of an attack.
>>> 
>>> Another thing about PQC is that all of this is entirely new crypto that we
>>> have no experience in using.  We've had decades of experience with using
>>> PreQC, and have mostly managed to get it right (a lot of the attacks being
>>> performed were known about years ago but were ignored until someone published
>>> an attack paper with accompanying tools and newsworthy name, and even then
>>> there's a huge amount of code in PreQC crypto designed specifically to prevent
>>> entire classes of attacks), while we have zero experience with using PQC.
>>> Which means we're going to see years if not decades of new attacks, or the
>>> same old attacks that were fixed in PreQC implementations, popping up with
>>> PQC.  It's quite possible that PQC will make us a lot *less* secure, if QC
>>> never really happens but the expected vulnerabilities in using PQC do.
>>> 
>>> In fact I'll make this prediction now:
>>> 
>>>  Likelihood of successful attacks due to QC: Epsilon.
>>>  Likelihood of successful attacks due to use of PQC over PreQC: 100.0%.
>>> 
>>> (the second figure should actually be much higher than 100%, because there'll
>>> be many, many of them, not just one).
>>> 
>>> Peter.
>>> 
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>> 
>> 
>> 
>> --
>> 
>> ---
>> 
>> I may have sent this email out of office hours. I never expect a response outside yours.
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> 
> -- 
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email