IETF Logo Mail Archive

Re: [CFRG] Re: NSA vs. hybrid

Björn Haase <Bjoern.M.Haase@web.de> Thu, 02 December 2021 17:59 UTC

Return-Path: <Bjoern.M.Haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E965B3A132A for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpQ5wHVPaV9X for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:59:35 -0800 (PST)
Received: from mout.web.de (mout.web.de [212.227.15.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0614D3A1329 for <cfrg@irtf.org>; Thu, 2 Dec 2021 09:59:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1638467968; bh=bFHrA9vhw0+a+usA27D+NPaVO1zP9hN8e/U7F2utKxo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=rPtNG9z7UgLdeOr7baqwMSG1F2wrCSEEtVowsqE5YdXlPJnK1uD5tivtbJFAmm3J/ /3yhpCQBy+LEDzXpNSi2i/yw4pFEmdZC5Ed7qHMDstM2UqPIuNaNeqLuQaP81x6774 Pqblu9+uO0nXS91tx/BgqzhIHi5xJLZg+sgIwa2w=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [109.90.104.251] ([109.90.104.251]) by msvc-mesg-web109.server.lan (via HTTP); Thu, 2 Dec 2021 18:59:28 +0100
MIME-Version: 1.0
Message-ID: <trinity-d543261e-fc82-472c-8bb8-f68d6cc3f65d-1638467968518@msvc-mesg-web109>
From: Björn Haase <Bjoern.M.Haase@web.de>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Natanael <natanael.l@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: text/html; charset="UTF-8"
Importance: normal
Date: Thu, 02 Dec 2021 18:59:28 +0100
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com>
References: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com> <3BEDD03E-9545-4DA1-8845-B7CA3414862C@ll.mit.edu> <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com>
X-Priority: 3
X-Provags-ID: V03:K1:iDGjlOt8FK1+fHoDOlRI4uRvRiZwRpS0qaQ0AV9PyOWyzmyhqJxqbTV+rARJG6IHfSprW /Vp1T553aNG0gHCT3e+SMb61+tGpoJAZ3Nnt69B+ArCvdN52GZvcPnfHfmrgnQouOvzI8J3ry/ec P0n3WgG3kpvTvJtT6Y7uusItS8XmejtBFpQHXpKpoTRtNrgj/3YbHYf+jplqsj/F/N6w8NVNJGWn aSrSgK53Eqf21T80WJvEsaPptNFht6KTYj2mMnNQOATN3ZU8yArolVPtYreV85u7tV7xFgQ4xU8f zE=
X-UI-Out-Filterresults: notjunk:1;V03:K0:KcqE08bFFys=:xbj6OZdVvte27VfqvJI6VA 43oo05ccsnz4xaQOa19kqi7KNv3mWZd5uBDgV1tF9XIDtSfaNIkGfi2MuWP+GrpYSDKfSY5tk Q8eEGfNpcsGsWVwF7MwiSXtMF6/cdRsLBsp+b91QJ6bRkPqc9SGRZeq7hnKjf5aVzoqrtje8U utar0kj4X+Ft03fCDkAGKhDjcvHiuhpUFphyFH2FYmaO6OAbhJzx+zY79TNXK9TnlgRW7oIR1 OdD98O/rc9ZQbdehiDc4X3Hhdf3IdoJPrFSn8ghmNHOflzguh8gEMypALtsn7tqbYdbKiNkX/ fMc+H/kGwo6TcCj8fOF2NUDUVYoQTafjbO/wCaBksvtG0CDdnbsYCVl2mAURC6CHhSro3zwlX Pffs2OBxgBFEX/Q6tWo2Bn1Vrrc0YuJzEidCWLZRfx/uJvxja1L7u48ZetbZJ+Xnecg7U2lJ8 Kp4jXw4qp+1Vr1MVeY7il1BNkagUhmm/BbctYtv+K4HEJpPsFB6zGl41z+yVFbxowp2jYMby1 yvDaovsoJqiCSjpHLBBDQQovVim8yfcaKtphH20IgZDXd+GXQ+Y3/zKjoaeLRQEsNExGEWTVV FWm5IaosviheH3FaMWYRk1XHz+Sjv8GwYBCmB2HXRJYYDZTOATb7C5IDb1SugTd4h7xrXdQXV +aqYBgRStpX0illLSxZwtSex24rJrLzqXsQmqcP3A89PNX58tH99oDmetMiQzOGWe11UWI9Ik XtWRnVqGF9+7oohkvbVHZaRumsOt2rl4Hsd4ZSgKN4JTJ5ys4Pm+vfarSGdHQrt1AB2sDnoyv b7VX6pX
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KTFaJSyQb0vbpXN02MaKxE602ZQ>
Subject: Re: [CFRG] Re: NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 17:59:40 -0000

Dear Uri,

The point is IMO, what is the reason after all for any PQ algorithm?

Its all about extremely sensitive applications which 1.) could not even tolerate the extremely low risk that a quantum attack on classical crypto becomes practical and 2.) are willing to tolerate the large penilties.

For such a high security application one MUST really take all available mitigation strategies for even the tiniest identified risk IMHO. For instance I'd put that as a must for our country's embassy communication.

And as there is evidence that there IS a risk with any newly implemented crypto primitive, such a high security application needs everything for being on the safe side.

Putting it the other way round. Any actual application that does not need to bother about the risk coming with the newer PQ algorithms could stick with classical crypto, IMHO, and help saving our planet's resources by consuming less energy.

Yours,

Björn



--
Diese Nachricht wurde von meinem Android Mobiltelefon mit http://WEB.DE" rel="nofollow">WEB.DE Mail gesendet.
Am 02.12.21, 18:35 schrieb Natanael <natanael.l@gmail.com>:


Den tors 2 dec. 2021 17:45Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> skrev:
I'll use the NSA term "CRQC" - Cryptographically-Relevant Quantum Computer. I personally believe (based on my weak understanding of the incomplete scientific data - but understanding  that others have probably isn’t much better than mine) that CRQC will be built within the “relevant” (IMHO) time, aka - a matter of a decade or two. 

Basically, my reasoning against the Hybrid is that it is useless in the majority of cases. But it adds complexity to processing, and unnecessary ballast. 

Here are the possibilities and their relation to the usefulness of the Hybrid approach.

1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless. 
3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms broken - Hybrid useless. 
5. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
6. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms broken - Hybrid helps
7. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
8. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms broken - Hybrid is useless. 

You can see from the above that Hybrid would be of benefit in only one case out of eight, one I personally consider among the least probable. 

Hope this explains my position?

I disagree with your risk analysis. 

The main problem is that we can't predict which of these situations we will end up in. Simple enumeration doesn't help. 

The main issue is that #6 has already been seen today, multiple times, with algorithms previously expected to hold. That alone should realistically end the argument that we're ready to deploy exclusively PQ today. It's not a safe bet to make ourselves dependent on it in advance.

#5 is the only plausible case where betting on hybrid would be considered a real negative after the fact, and most would complain about performance more than complexity. And I wouldn't bet on #7 happening (even if it does you might pick the wrong candidate). 

Practically speaking we're dealing with weighing the more likely outcomes that the specific PQ of choice holds (that's a narrowed version of 1/3, also 5/7) vs a continuation of #6, that it fails while classic algorithms remain working. #8 and #4 (should be both breaks?) are IMHO less likely, I expect to see some kind of surviving asymmetric algorithms in both cases. 

#2 still protects against adversaries without quantum computing capabilities. 

Hybrid is a hedged bet, and it's a long term bet - data encrypted now can still be relevant in two decades before we even know if a CRQC is plausible at all, but we also don't know which algorithms will survive. Hybrid has a chance of surviving everything but the nightmare scenario, and is the only choice that can substantially reduce unknown risks.

Going single algorithm is not just a bet on CRQC vs none, but additionally a bet on that specific algorithm. 
_______________________________________________ CFRG mailing list CFRG@irtf.org https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email