IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Marek Jankowski <mjankowski309@gmail.com> Thu, 02 December 2021 11:22 UTC

Return-Path: <mjankowski309@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27FC53A0971 for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 03:22:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DybUZpUebzeq for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 03:22:10 -0800 (PST)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 042223A0126 for <cfrg@irtf.org>; Thu, 2 Dec 2021 03:22:09 -0800 (PST)
Received: by mail-ed1-x52f.google.com with SMTP id y12so114515945eda.12 for <cfrg@irtf.org>; Thu, 02 Dec 2021 03:22:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9iAWqWbVzVeI1emoqXmh1djKcvTn7MOTnpKSACh1rcc=; b=fq+A+dWoCN2BAE7giA+ghmZVs1mGlwnT7YNT8iQYvk1PV0uW3vSI+DAG5lGW8472Zz lwVx0X8Gyy/lv/L/6S++fZURLHr4lsY52HKvSBZ1LcYpG/UQiP+47uTgR9Yr3IzCIUaM 1L9WexjMCCOm4Ez0wFy/1JRCIwe1Ba0KbcrmeJdkHNSFKQ/LWBojHMka+3uvOVQxEma3 CSsttvTyiu+XhpRY3lOY3oxX9dVCzufGgcuPuutVfGVf4d9Xjasta6rCeJ/S4jgdBiNq z60lB/4Dt4M7QrSoebr04lsOwh0qvk1Zukjq1Hl6CzJa1kzKprX8OEb0uXIh5mYT/992 KeYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9iAWqWbVzVeI1emoqXmh1djKcvTn7MOTnpKSACh1rcc=; b=ei6J1jKNVaSzF3J4Zd8Tf0HZYw57e8z77E6tTO+B8k9PJaXZilK3raeO3CwqsC/hVD iL9NH9fDFTM/lDscQv5xpEfJK0+L4jbnu7LOhCpLitBnoDtKz5PLVtM/zQvaeH1qWJgI 5zEuJ+q3IOalY5uCFnEk6Efe3Hqa+lbOFDHehUFzuORhexpYlKvWZ4cBbTRLeIqixjV5 gwz3wj0H5aB1k0Sw8sqrGxjvmOSNNQ/ahMAJDJUYGduVRyRUp8NZifbK3R7gxoePd29u wh8bNKkRsj7z8wER2EPotS2kZCxr7vdIP3yD+7Mr7Bf1zN7xHziwtcmgXAlRnV9NHaDB 2B+A==
X-Gm-Message-State: AOAM531S/zMEmts8LOt8PjvAo8/+OPdoVPvRmArKvH9fJDMMjPULH/B/ uvzx03Ulj7k3hFeEowt/aSL7TKvP6VvA19Ip7kA=
X-Google-Smtp-Source: ABdhPJxgbjwp5SrZVgncGclYWGYbesDwIql4PiicZAZIDIl7P1ARf/Rl1/79KfT3DSQKyGx8jXozkLlf6C4UaTgZ4So=
X-Received: by 2002:a05:6402:653:: with SMTP id u19mr16686813edx.106.1638444126753; Thu, 02 Dec 2021 03:22:06 -0800 (PST)
MIME-Version: 1.0
References: <20211112092811.628364.qmail@cr.yp.to> <9588651a323a489e8e4956e08a64b55f@blackberry.com>
In-Reply-To: <9588651a323a489e8e4956e08a64b55f@blackberry.com>
From: Marek Jankowski <mjankowski309@gmail.com>
Date: Thu, 02 Dec 2021 12:21:54 +0100
Message-ID: <CAMCcN7TmFuu-msYvmWDV=c3R=Vxyg9MBV++o3BfVDHEj8i3NmA@mail.gmail.com>
To: Dan Brown <danibrown@blackberry.com>
Cc: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000028d76b05d228006f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EIBLq_NIccBcSrevSeuqxEzeeY8>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 11:22:15 -0000

Joining Dan, I too believe that the vetting of PQC algorithms should
originate in a public process, and that NIST has not yet proven we should
rely on the finalists alone. I find it important that CFRG advise upon
hybridization both in KEMs and signatures, although I don't have a strong
opinion in the composite vs multi-certs debate.
In the same context, I worry that not having a FIPS standard for Ed25519,
the result of FIPS 186-5's publication being delayed, might cause a delay
in adoption of PQ+EC hybrid signatures. CFRG should address this issue and
take a proactive stance towards NIST by engaging in discussions regarding
the publication of FIPS 186-5 as well as PQC and hybrid standards later on.

Best regards,
Marek

On Thu, Nov 18, 2021 at 7:20 PM Dan Brown <danibrown@blackberry.com> wrote:

> > D. J. Bernstein wrote (on Friday, November 12, 2021 4:28 AM)
> >  ...
> > I would like to see CFRG instead advising integration of ECC into all
> post-
> > quantum deployments for the foreseeable future. There's no reason that
> this
> > advice has to wait for NISTPQC standards.
> > ...
>
> I largely agree with the point above (as some might recall from my past
> CFRG
> messages).
>
> Hybrid cryptography in IETF ought to be encouraged by CFRG. At minimum,
> hybrid
> ought to be an option for sensitive applications (high-value data, needing
> long-term protection), where the cost seems worth the benefit.  As an
> exception, an IETF WG with low-value, short-term data and little budget
> for
> cryptography, might opt for a single non-hybrid PQC algorithm option.
>
> Real-time authentication (e.g., signature-based server authentication in
> TLS),
> might have less risk than other applications (e.g., TLS key exchange),
> because
> new attacks discovered in the future (e.g., relevant quantum computer)
> cannot
> retroactively break today's real-time authentication. Nonetheless, hybrid
> signatures may still be worth the cost?
>
> For certificate structuring, I don't know which is better: (1)
> certificates
> with hybrid-signatures, or (2) multiple certificates with a
> single-algorithm
> signatures (or (3)=(1)+(2)), but CFRG could contribute significantly to a
> recommendation on this issue (e.g. comments already made in this thread).
> Perhaps CFRG should defer this more protocol-specific detail to LAMPS?
>
> Organizationally, NIST and IETF could continue to have some interoperable
> cryptography options, while working independently on non-interoperable
> cryptography options (i.e., hybrid interoperability ;).
>
> Best regards,
>
> Dan
>
> PS. A simplistic cost-benefit approach to choosing hybrid cryptography:
> https://eprint.iacr.org/2021/608
> Better methods ought to be possible.   A discussion on this at
> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OpFVbuMYk8c
>
>
> ----------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from
> your system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email