Re: [CFRG] NSA vs. hybrid

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 07 December 2021 01:20 UTC

From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Martin Thomson <mt@lowentropy.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: Adfq+SifdKkyH8eASvmUsdG8SJfxR///vEKAgABXtID//69qgP//q8fg
Date: Tue, 07 Dec 2021 01:20:36 +0000
Message-ID: <BL3PR11MB5732461035F7173FED4A0F309F6E9@BL3PR11MB5732.namprd11.prod.outlook.com>
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <E383D80F-D38C-4A6F-9DA6-1BABDA7D8FBF@ll.mit.edu>
In-Reply-To: <E383D80F-D38C-4A6F-9DA6-1BABDA7D8FBF@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Pt6DitcEcD1Lb46eLU65w5W2s/OhgQj/lz7L2+ZpfSKx1SratgChRYRUZFmLnyXxYSEXnCei1M1S+n6ifl9aJOARLTnWePQ6bugtIwCpPULhhy2FAMmKVIOqWDu/rKmMX8LmEZg05a+u9DizfdSO0ENqkJ7neGmpYv7oS7Pm6dsNHX6JCIWXBrI4dT9BJscGrasujjvWraB9mYHELMZ1AAVf8q5vtqHou+NCY+mW128bbRqlAPsFCFmB1nuRLOrT8tYAv4kk4yarPpXOfIwybFrGkgLjd7gquSH319avU2GbSeGL4BWWZnYbxwFBPx3rKhUd7QAjDic1XLVzsAtYEMxjiTeHgh6POS+1r6tgBMd36kcgRNyJghoRu9l+UvxSTB2uXkJgnpwiquQLpnvfqEEeiHVQvEdzYhsSlx0p3ccodyQiLLMCHg4W5BFC48HZ3xWRTOzNkmz+BSW4C4kQmYiD6LpPLvWOLcl2yvC0O0XtUSUl8juTSr1+tYoTzwFhjgjY6HMigYuCOnJkG0Vc/wjmLMif5V07isLDlR4/pIBAIRcT9R5GJce+I86Sc4+viO2U6yQ7IzFSfepqwpwQPIcOeMLpMjx8dRpUTGLMBIkLkbyerTSo7nh7dlHgSoITTtsGIQIutuKkTh+OY+c6AuyjTWLK9QCw2ZEsS37gBlEW2u+GDXjM7uxN1k1I0ghh8NfQxLahUE/hLP788xHrxBoCokkojf/5WrkvllG9AIKbnyztPGLsrnT/rcI3pzX4IbuhD8d0Dzvg57yOdifGTTH7X+CJFwTsGYyNJ1VsDQN+9rIIwAgFUZZYB+3nhJ/a7m367Plj79ACAMmTDOE9Anwd4no7HzjKyxy55XdYu1JJbJLgT2EF1wGYicq4flZXrIdDIK2M9FOKP4ZsTyl4LZQYCdwkIALnlEqpy48HXNuZd9zJbCZ1qWEEtEaky1gBGKdvUYEK8p3kf1jwtggoiz1lUVeq5hvIJG0OlnlUdCskK77PpMBW/+/48tfx+ckHYm+tPChi3GGhApaXx7JN3K4uQJulDl/vHutMtiJsblv1S0Q4k8WckCowNNW6jCh+3yZfUlWsQ8ZwCGC2rUZaOlm1sYavOLaopgrJNelcVkcpAmZI+C5sg5/0uwC3Yne7vHXPfp2Eq4M3KaETitBuHbiWeV+oz0zHIzN6GGLxszrfy2u07RVI+C3W6Awcjz5kPVRYZCLJYz1lbQC5jAUp5vVYYGhVQTRNtysnbSNSOUPfOl7kYJGHYnxX1Wh9blw5EWiN1gxoGWbFsp6/Fcdf2FbWApPS5Y/7pz37xtwQtl71yWuEkW6irLsfgeN+OC8SSx6E4HgnVpv/r4VIy1FP5eT7iA8dnQFMEtPSK/pC8vORe8vZi+7ulVPbOQVIKpEwGlgOVj3ihZ2Pr6WUpYTyKKwGlzWJOvrs5+q+GYXEbNkUCn3XBib48LY+yrhbd7ZeuPvBusxSzLplnR2rMtu8e5Vi6cbx3qjzgnWKHIjpUFsujcGyITYQiLoO35gGFmybZ8BaNFJV9Z8PEzFx/XDi5k9QtTQsgFFGkPRDjZVesvoySUsOalg8zI0eLpAbgXnVwnJWHXdr86ulL9VZ1WiHNrcUT4NklZlloTbrAyncdG/dXUPM5qY2ChQcltDdMJQkOMHQpeTpL9rokMqulJ10KA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5732.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 05ba17da-0e3a-4f53-7386-08d9b91fc625
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2021 01:20:36.7988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YcHBzGNFTyuvO//yVGpOb43Nl0Fo794t+RReNCh1peG6os9hyAZtekG6NIXrEkHk92Yqaual1xzPScDeMesRzDyY82/dddUZhJgQcYNTdH0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3935
X-Proofpoint-ORIG-GUID: M4qu-NXBuFuA9J3WDq_njdcwwq4HFqTK
X-Proofpoint-GUID: M4qu-NXBuFuA9J3WDq_njdcwwq4HFqTK
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-06_08,2021-12-06_02,2021-12-02_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=1 clxscore=1011 adultscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=185 mlxscore=1 spamscore=1 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112070007
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C-E1Dmkt_UlckCR9owJRx-JFjxo>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 01:20:51 -0000

I don't think the " PQ algorithms do not hold" case is as absolute as you're claiming:


In cold storage encryption or any kind of public trust signature scenario (ie places where record-now-crack-later doesn't apply):
1) Implementation bugs in either traditional or PQC: hybrid makes these not-immediately-fatal and buys you time to patch and potentially re-protect existing data. (applies to both pre- and post-CRQC scenarios thanks to "quantum annoyance").


In all scenarios:
2) Hybrid (esp. with 3+ algs) allows you to combine multiple PQC algs, spreading out your risk.

---
Mike Ounsworth
Software Security Architect, Entrust

-----Original Message-----
From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: December 6, 2021 6:53 PM
To: Martin Thomson <mt@lowentropy.net>; cfrg@irtf.org
Subject: [EXTERNAL] Re: [CFRG] NSA vs. hybrid

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
> > For sensitive data, problem (1) is relevant now - because, as you
> > said, ciphertexts could be recorded now and broken/decrypted
> > decade(s) later, when CRQC is available. Hybrid won't help here (and
> > those who don't expect CRQC to arrive, can stay with ECC).
>
> I'm sorry, is that right?  Are you asserting that a hybrid key
> exchange can be broken later?

If our PQ algorithms do not hold - absolutely, Hybrid will be broken with CRQC.

If our PQ algorithms hold - Hybrid holds too, but we don't need it then.

In the end - the fate of Key Exchange rides on whether PQ algorithms will hold.

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Stephen Farrell
Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
Re: [CFRG] NSA vs. hybrid Jeff Burdges
Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Dan Brown
Re: [CFRG] NSA vs. hybrid Marek Jankowski
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] Re: NSA vs. hybrid Björn Haase
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Dan Brown
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Martin Thomson
Re: [CFRG] NSA vs. hybrid Andrey Jivsov
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
Re: [CFRG] NSA vs. hybrid Richard Outerbridge
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Marek Jankowski
Re: [CFRG] NSA vs. hybrid Mike Hamburg
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Hamburg
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] Re: NSA vs. hybrid Björn Haase