Re: [CFRG] NSA vs. hybrid
"D. J. Bernstein" <djb@cr.yp.to> Fri, 12 November 2021 12:04 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9A2F3A0DA8 for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 04:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.935
X-Spam-Level:
X-Spam-Status: No, score=-0.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.964, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXJGouOXUG7N for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 04:04:22 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 26D663A0E55 for <cfrg@irtf.org>; Fri, 12 Nov 2021 04:04:21 -0800 (PST)
Received: (qmail 23438 invoked by uid 1010); 12 Nov 2021 12:04:18 -0000
Received: from unknown (unknown) by unknown with QMTP; 12 Nov 2021 12:04:18 -0000
Received: (qmail 636990 invoked by uid 1000); 12 Nov 2021 12:03:49 -0000
Date: Fri, 12 Nov 2021 12:03:49 -0000
Message-ID: <20211112120349.636988.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CAAt2M18seCg-Z_QZRma6nOiXS5SpESc=9Wfg_2brUbwiAxpSxQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GER1s8_hpoF5Pdz_Qs_XRDcTM6o>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 12:04:25 -0000
> >  [ under "CONS" of "composite" certs ] > > > Can require reworking of certificate validation > > Yikes---sounds scary given how tricky certificate validation is. But > > wait a minute. Isn't certificate validation simply calling signature > > verification as a black box? What has to be reworked here? > In theory it should be simple, in practice there's constant mistakes made in > validating certificate chains and certificate properties. In theory this should > be as simple as requiring dual and identical certificate chains with no > difference but the asymmetric primitives, requiring both to be valid at once. > In practice, I expect this to get messed up in a million different ways. My understanding of the terminology of the slides is that a "composite" certificate is one where the protocol is checking _one_ certificate with _one_ signature from the CA as usual, but the signature details are built _internally_ as requiring two component signatures to be valid. This approach doesn't touch the logic of certificate validation outside the signature-verification black box. So I'm puzzled as to why NSA is pointing to "reworking of certificate validation" as a disadvantage for _this_ approach rather than for the _other_ approach. > >  [ under "PROS" of "non-composite" certs ] > > > Computational processes remain unchanged (but perhaps multiple > > > iterations) > > This sounds weird, given that the whole point is to be adding new > > post-quantum primitives into the picture. Perhaps I'm missing some > > restricted definition of "computational process". > This is essentially a variant of the argument above, you run the validator > twice on different certs with only the primitive being different. The validator > needs additional changes to put both chains in the same cert. Say P is whichever ECC system and Q is whichever post-quantum system. Here's my understanding of the two options under discussion: (1) Send a certificate with a "composite" P+Q signature to satisfy new clients; also, for however long the transition takes, send a certificate with a P signature to satisfy old clients. (2) To satisfy new clients, send a certificate with a Q signature and a certificate with a P signature; the second certificate will also satisfy old clients. I don't see how either of these qualifies as "computational processes remain unchanged": new clients are in any case doing a new Q process. For the first option, there's a new P+Q signature system; for the second option, there's a new Q signature system and new certificate logic. ---Dan
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase