IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 06 December 2021 06:28 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA7D3A060D for <cfrg@ietfa.amsl.com>; Sun, 5 Dec 2021 22:28:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcL_sp7IsLyi for <cfrg@ietfa.amsl.com>; Sun, 5 Dec 2021 22:28:06 -0800 (PST)
Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C63543A05E2 for <cfrg@irtf.org>; Sun, 5 Dec 2021 22:28:04 -0800 (PST)
Received: by mail-yb1-f178.google.com with SMTP id 131so28332423ybc.7 for <cfrg@irtf.org>; Sun, 05 Dec 2021 22:28:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=05IaG9adi1k28u+v8zGaQSbhULA+KI/f4fucdq0++tU=; b=zVgMBZM1bTdLEG5rXB+9OexsDyWOL3OtRRo4Z8uc+aampg4vlgwSH/PV9dF6n9Ys2f Sf2Ja9UqhucCpmisrKQc8YpjS+HrXiFDPX/HHPrrMTVY2XNtTsEp50OK9+8446nhlBVL bArm3I081GRknNIYOhF/2X+aCyZWl0zVtfzrw8Mbkil36xeAm3pz5Umc4xvE/uAeafT0 BXkD/59i8wecCVvnNp7LomWj1spfNGjS8CkmvUKlpEF8eojYj1oS18W0KN/o7EORXjK8 0EiVd9ZADPeK18gW88RRFZKpAWLPj0Oh99YuIYJC+t9OwWBVh2V3OgXxPI+ANpPm6Z0V XhLA==
X-Gm-Message-State: AOAM532L7YukGxoLcm4K4NWe7j7JPUTTZhgerQnczyyKHfGhDp3DCu5w VDd6LoeiMNeEuYlMmwEQ9UY7Tq2lLyDa1GDSCA/yqddhTlE=
X-Google-Smtp-Source: ABdhPJyXqWlQVURdTUH6gIfSFgSxLfE2euUZION3AQS/gSPgBmCWWzKNgqas7X4+s5rTEwegzeJghQsRN+ixlheg6lo=
X-Received: by 2002:a25:b2a2:: with SMTP id k34mr37790553ybj.575.1638772083900; Sun, 05 Dec 2021 22:28:03 -0800 (PST)
MIME-Version: 1.0
References: <DM8PR11MB573606AC6314879B1B2D36FA9F6B9@DM8PR11MB5736.namprd11.prod.outlook.com>
In-Reply-To: <DM8PR11MB573606AC6314879B1B2D36FA9F6B9@DM8PR11MB5736.namprd11.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 06 Dec 2021 01:27:53 -0500
Message-ID: <CAMm+Lwj52XL0SSr_isbcGjsYRf40NhUK4bmNNSOfunw2KV0x8Q@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000edc57805d2745b17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EBs6mvOioeU5b8bYUXPRrv24w90>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 06:28:11 -0000

You are missing one of the biggest steps which is availability of FIPS 140
validated HSMs without which nothing is going to be happening.

Nor is it automatic that the WebPKI will adopt PQC just because of
something CFRG does.

X448 and Ed448 have been out for years. Does anyone know of HSMs for
either of them?

Don't forget that HSMs use crypto to secure keys internally and so they
need multiple layers of validation. People are going to have to work on
timing attacks from scratch again.


The other point to consider is that the WebPKI only needs signatures and
there are other, simpler ways to achieve PQC hardening. We could heavily
modify Certificate Transparency for instance.




On Sat, Dec 4, 2021 at 3:33 PM Mike Ounsworth <Mike.Ounsworth=
40entrust.com@dmarc.ietf.org> wrote:

> Responding to a few different branches of this thread:
>
> > "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sat, 13 November 2021
> 18:50 UTC
> > One complication that certificates have over KEMs (in the context of
> TLS) is that there are more parties involved.
>
> In addition to what Scott mentioned, there is also multiple layers of
> standards bodies involved. A bit of a squinty view:
>
> 1. CFRG will make cryptographic recommendations.
> 2. LAMPS will implement these recommendations for PKI and S/MIME.
> 3. CA/Browser Forum will make these new algs and cert types legal for
> publicly-trusted CAs.
> 4. Root keygen ceremonies need to happen under the newly-minted CA/B rules.
> 5. New root certs need to get included in browser trust stores.
>
> Only then can we start actually using them. These are sequential steps
> that could take 1 - 2 years each. By my reckoning, if we start now, we have
> a 5 - 10 year road until we can actually use this on the web. I haven't
> even considered FIPS or HSM development lead times here...
>
>
>
>
> > "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021
> 16:45 UTC
> > Here are the possibilities and their relation to the usefulness of the
> Hybrid approach.
> >1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms
> hold - Hybrid is useless.
> >2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail
> - Hybrid is useless.
> >3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms
> hold - Hybrid is useless.
> >4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms
> broken - Hybrid useless.
> >5. CRQC doesn't arrive, Classic hold against classic attacks,  PQ
> algorithms hold - Hybrid is useless.
> >6. CRQC doesn't arrive, Classic hold against classic attacks,  PQ
> algorithms broken - Hybrid helps.
> >7. CRQC doesn't arrive, Classic broken against classic attacks,  PQ
> algorithms hold - Hybrid is useless.
> >8. CRQC doesn't arrive, Classic broken against classic attacks,  PQ
> algorithms broken - Hybrid is useless.
> >You can see from the above that Hybrid would be of benefit in only one
> case out of eight, one I personally consider among the least probable.
>
>
> IMO the one thing we *do know* is that PQ crypto libs will have
> implementation bugs, which means we *will* have to contend with case 6, at
> least transitively. Which, given your language, gives us a 100% chance that
> hybrid helps :)
>
>
>
> > "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021
> 21:22 UTC
> > I'm asking why the current Classic algorithms have not been paired using
> the same approach - as they have been around from 10 to 25 years longer
> than, e.g.,  NTRU.
>
> Let's say this reasoning is correct; let's say that in retrospect we
> should have layered new ECC implementations with RSA for some transition
> period, isn't that more reason to develop hybrid mechanisms now so that
> they are available the next time we need to transition from an old
> battle-tested thing to a newer thing?
>
> ---
> Mike Ounsworth
> Software Security Architect, Entrust
>
> Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
> are addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. Please notify
> Entrust immediately and delete the message from your system.
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email