Re: [CFRG] NSA vs. hybrid
"D. J. Bernstein" <djb@cr.yp.to> Sat, 13 November 2021 13:54 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A2323A1597 for <cfrg@ietfa.amsl.com>; Sat, 13 Nov 2021 05:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.935
X-Spam-Level:
X-Spam-Status: No, score=-0.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.964, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nB9UkWBCVhWr for <cfrg@ietfa.amsl.com>; Sat, 13 Nov 2021 05:54:10 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 063913A1596 for <cfrg@irtf.org>; Sat, 13 Nov 2021 05:54:09 -0800 (PST)
Received: (qmail 10994 invoked by uid 1010); 13 Nov 2021 13:54:06 -0000
Received: from unknown (unknown) by unknown with QMTP; 13 Nov 2021 13:54:06 -0000
Received: (qmail 770523 invoked by uid 1000); 13 Nov 2021 13:53:39 -0000
Date: Sat, 13 Nov 2021 13:53:39 -0000
Message-ID: <20211113135339.770521.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <A76CD9D7-7502-4C9D-AFCA-E9378D44E52B@ll.mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IDX8_gnK94K2ZlCtkOpBrGyjpiM>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2021 13:54:12 -0000
Blumenthal, Uri - 0553 - MITLL writes:
> Using Dan's terminology: you want P chain of trust - ask for it, you
> want Q chain of trust - request that. In the unlikely case of wanting
> both - get both, AFAICT, the overhead would be small.
Google's CECPQ1 experiment and the Google-Cloudflare CECPQ2 experiment
both combined P (ECC) with Q (the post-quantum option). The motivation
was clearly stated, and applies verbatim to signatures too:
The post-quantum algorithm might turn out to be breakable even with
today's computers, in which case the elliptic-curve algorithm will
still provide the best security that todayâs technology can offer.
Alternatively, if the post-quantum algorithm turns out to be secure
then it'll protect the connection even against a future, quantum
computer.
The post-quantum situation since then hasn't become _less_ scary. We've
seen almost every NISTPQC submission losing security, often so much as
to be declared broken. Exciting new attacks are appearing, and the study
of post-quantum implementation failures is in its infancy. Why would it
be unlikely for people to want to combine post-quantum crypto with ECC?
If the answer is that NSA's declaration of confidence is influential:
This is where it would be valuable for CFRG to advise ECC integration
into all post-quantum deployments for the foreseeable future.
> And you expect P+Q certificates to be validated correctly?
I agree that certificate validation is a mess. This is why, regarding
the mechanisms for doing both P and Q, I'd expect that having a new
signature system _internally_ combining P+Q is safer than changing the
certificate-validation logic. I'm puzzled by NSA's unexplained
statements to the contrary. See also Mike's message.
> In practice, large PKI that have multiple intermediary CAs, will
> likely have separate CAs for P and Q certs.
Why? If a CA is interested in offering Q certificates, why would it not
want to provide
* the extra security value of offering P+Q certificates (which are
practically the same size as Q certificates) plus
* the extra compatibility value of offering P certificates?
For the RSA->ECC upgrade there's (1) a stable ECC security picture and
(2) clear performance reasons to not have the ECC signatures accompanied
by RSA signatures. For the post-quantum upgrade, the story is reversed:
the post-quantum security picture isn't stable, and keeping ECC as a
security layer has low cost.
---Dan
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase