IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Richard Outerbridge <outer@interlog.com> Wed, 08 December 2021 06:59 UTC

Return-Path: <outer@interlog.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7C13A0B03 for <cfrg@ietfa.amsl.com>; Tue, 7 Dec 2021 22:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2Rgdo9eLyaB for <cfrg@ietfa.amsl.com>; Tue, 7 Dec 2021 22:59:46 -0800 (PST)
Received: from mail-1.ca.inter.net (mail-1.ca.inter.net [208.85.220.69]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71CD53A0A2A for <cfrg@irtf.org>; Tue, 7 Dec 2021 22:59:45 -0800 (PST)
Received: from mp-mx11.ca.inter.net (mp-mx11.ca.inter.net [208.85.217.19]) by mail-1.ca.inter.net (Postfix) with ESMTP id 390202EA3CB; Wed, 8 Dec 2021 01:59:42 -0500 (EST)
Received: from mail-1.ca.inter.net ([208.85.220.69]) by mp-mx11.ca.inter.net (mp-mx11.ca.inter.net [208.85.217.19]) (amavisd-new, port 10024) with ESMTP id IRxK1GLJUeaD; Wed, 8 Dec 2021 01:59:41 -0500 (EST)
Received: from [192.168.168.101] (bras-base-toroon0246w-grc-17-70-53-127-156.dsl.bell.ca [70.53.127.156]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: outer@interlog.com) by mail-1.ca.inter.net (Postfix) with ESMTPSA id 703E52EA18F; Wed, 8 Dec 2021 01:59:41 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Richard Outerbridge <outer@interlog.com>
In-Reply-To: <CAOp4FwQTyYGWLRoMYA_+kaGAzGjTb1Z=6kcQfGkmrw_7oEHqhQ@mail.gmail.com>
Date: Wed, 08 Dec 2021 01:59:41 -0500
Cc: Martin Thomson <mt@lowentropy.net>, CFRG <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2213E164-231B-4D95-9CEE-5808E5EE8034@interlog.com>
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <CAOp4FwQTyYGWLRoMYA_+kaGAzGjTb1Z=6kcQfGkmrw_7oEHqhQ@mail.gmail.com>
To: Loganaden Velvindron <loganaden@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CTId8nQXRuIVrROl2i360hU1QKQ>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 06:59:51 -0000

On 2021-12-08 (342), at 01:01:18, Loganaden Velvindron <loganaden@gmail.com> wrote:

> On Tue, Dec 7, 2021 at 4:42 AM Martin Thomson <mt@lowentropy.net> wrote:
>> 
>> On Tue, Dec 7, 2021, at 11:27, Blumenthal, Uri - 0553 - MITLL wrote:
>>> For sensitive data, problem (1) is relevant now - because, as you said,
>>> ciphertexts could be recorded now and broken/decrypted decade(s) later,
>>> when CRQC is available. Hybrid won't help here (and those who don't
>>> expect CRQC to arrive, can stay with ECC).
>> 
>> I'm sorry, is that right?  Are you asserting that a hybrid key exchange can be broken later?  I was under the impression that if I paired ECC with a PQ algorithm (and didn't mess it up) I could get the best of the two, assuming that the KDF and AEAD and whatnot are also OK.
>> 
> I agree with Martin. ECC implementations have gone through a good
> amount of review. From an engineering point of view, it is safer to
> pair with a PQ implementation to be on the safe side.

As has been noted, so has NTRU gone through a good amount of review,
even more perhaps than Rinjdael by this point in the competition for AES.

Anyone see any serious objection to adoption (it’s already de facto)?
__outer

v2.23.0 | Report a Bug | By Email