IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Natanael <natanael.l@gmail.com> Thu, 02 December 2021 18:33 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DE1A3A13AD for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 10:33:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wgQUFyMxW03 for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 10:33:34 -0800 (PST)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CFFD3A13AA for <cfrg@irtf.org>; Thu, 2 Dec 2021 10:33:34 -0800 (PST)
Received: by mail-ua1-x92e.google.com with SMTP id j14so772276uan.10 for <cfrg@irtf.org>; Thu, 02 Dec 2021 10:33:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2It3fu/UXCMk1DsQD2Xkzj1drQvzKxU2wGVpOz780OU=; b=bP4ow6OtXNGyz6a3z04SXtwOcIKid2rlylZ4y07JT9dfD4YUHycC1beWViIJprfM/S 1NF7EHQiim9uvJ1LPxLMH20CkGwGYk37UadM6nqdzsDz8VZe2KtKoV7jgKYmdlJ/zzcE yQdGbKbrGsSOhQ5bUdHf4uqYX919psMzEq9k0bg+b+Cew4THe3Q4Asxt+lX2iqgZ+Kja z2Ba/K6+3YWhrCAnBg5UqNf0D7ZTezLSJNtxuvaXkBbqGjx4VVzSCfPDAI7DwEl1XInQ HJEa7JZaDlZLsa/SQf4v1OW93qBEIrXIr4GEGrzNHDQS4xY+Z22jXOuZafbbPyC6Ks2z EM4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2It3fu/UXCMk1DsQD2Xkzj1drQvzKxU2wGVpOz780OU=; b=bXdCbPwpXsKTmYUg2oXBjaLcstc7a2LUIl1V9p50W8eMhseLQtmxQodhSzEPfka97n YSp0f5uucr7U33ow+PbCUD4l2e9dYbzEKfMxVSE8IAekcn5q14GuuifvkmM1hR4VJe7L HmTlNH/fr4Rht5ph0p0vCn+Nl7EubOtHCzNIyWVHdGz+XDyd45Fx8V/ZGf80MCLa/1Ft aOp0O38z2HXgk3pNIaghYQcIs48EgOyE47m7U6Ehe7umSZu67I5wCsKk3fZACkWY0Lgm YEHh7V01aI7uU8ZGQcfV/1A0AkgYZc8VcRDRZnKJPPr6a4ofxxLhbSBAO02kg7WrzUJR lNsA==
X-Gm-Message-State: AOAM5330wje0+gb9/MXdE4vT8056s0OAx4Mqr/v4HYVSx21zFgtzOj3h vE577Ho7Bj4Qsx07qQubGUa0R+C6stL6z50Wfws=
X-Google-Smtp-Source: ABdhPJyTl/VlRth8CyPl5i84Sn775+BXhCilBnq5Rwwd8VT9aWvxxsuRnpYhhU6Z+rvnXoUxrWRfLUaQUAWKvuH7ios=
X-Received: by 2002:a67:fa59:: with SMTP id j25mr17226300vsq.30.1638470011608; Thu, 02 Dec 2021 10:33:31 -0800 (PST)
MIME-Version: 1.0
References: <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com> <85373E4C-01FD-4EA2-AD9E-E4058F8A9B21@ll.mit.edu>
In-Reply-To: <85373E4C-01FD-4EA2-AD9E-E4058F8A9B21@ll.mit.edu>
From: Natanael <natanael.l@gmail.com>
Date: Thu, 02 Dec 2021 19:33:20 +0100
Message-ID: <CAAt2M1_zbaWsXK7OA8U3FPTM7f5-qgd4UwDFSDVCZRTibWKPzA@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: Soatok Dreamseeker <soatok.dhole@gmail.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000004612105d22e070a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8t7OwGOdrqN4kS4bbNtpTcRgdgY>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 18:33:39 -0000

Hybrid *with what* in the past decades?

The backup algorithm has to plausibly be an actual improvement -
historically any lowered confidence in RSA only led to greater key lengths,
because that was the option that was understood. Performance issues ruled
out most hybrid options and there were no obvious secondary or substitute
algorithm (especially due to patent issues).

PQ algorithms simply haven't had enough cryptoanalysis in the past decades
for us to be confident in them, so the value proposition was missing. That
analysis is building up now, but I don't yet trust any one option enough to
rely on it.

Hybrid choices *today* gives both an additional motivation for the
algorithms to be analyzed further and gives more room for experimentation
with the PQ candidates, and does so with minimal risk. And most systems
where they can be deployed can tolerate the performance hit today.


Den tors 2 dec. 2021 18:40Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
skrev:

> Following your logic, why haven’t we been using Hybrid approach for the
> last two decades? Are we that confident in infallibility of RSA or ECDH(E)?
>
> Regards,
> Uri
>
>

v2.23.0 | Report a Bug | By Email