Re: [CFRG] Re: NSA vs. hybrid
Björn Haase <Bjoern.M.Haase@web.de> Thu, 02 December 2021 17:59 UTC
Return-Path: <Bjoern.M.Haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E965B3A132A for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpQ5wHVPaV9X for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:59:35 -0800 (PST)
Received: from mout.web.de (mout.web.de [212.227.15.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0614D3A1329 for <cfrg@irtf.org>; Thu, 2 Dec 2021 09:59:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1638467968; bh=bFHrA9vhw0+a+usA27D+NPaVO1zP9hN8e/U7F2utKxo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=rPtNG9z7UgLdeOr7baqwMSG1F2wrCSEEtVowsqE5YdXlPJnK1uD5tivtbJFAmm3J/ /3yhpCQBy+LEDzXpNSi2i/yw4pFEmdZC5Ed7qHMDstM2UqPIuNaNeqLuQaP81x6774 Pqblu9+uO0nXS91tx/BgqzhIHi5xJLZg+sgIwa2w=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [109.90.104.251] ([109.90.104.251]) by msvc-mesg-web109.server.lan (via HTTP); Thu, 2 Dec 2021 18:59:28 +0100
MIME-Version: 1.0
Message-ID: <trinity-d543261e-fc82-472c-8bb8-f68d6cc3f65d-1638467968518@msvc-mesg-web109>
From: Björn Haase <Bjoern.M.Haase@web.de>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Natanael <natanael.l@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: text/html; charset="UTF-8"
Importance: normal
Date: Thu, 02 Dec 2021 18:59:28 +0100
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com>
References: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com> <3BEDD03E-9545-4DA1-8845-B7CA3414862C@ll.mit.edu> <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com>
X-Priority: 3
X-Provags-ID: V03:K1:iDGjlOt8FK1+fHoDOlRI4uRvRiZwRpS0qaQ0AV9PyOWyzmyhqJxqbTV+rARJG6IHfSprW /Vp1T553aNG0gHCT3e+SMb61+tGpoJAZ3Nnt69B+ArCvdN52GZvcPnfHfmrgnQouOvzI8J3ry/ec P0n3WgG3kpvTvJtT6Y7uusItS8XmejtBFpQHXpKpoTRtNrgj/3YbHYf+jplqsj/F/N6w8NVNJGWn aSrSgK53Eqf21T80WJvEsaPptNFht6KTYj2mMnNQOATN3ZU8yArolVPtYreV85u7tV7xFgQ4xU8f zE=
X-UI-Out-Filterresults: notjunk:1;V03:K0:KcqE08bFFys=:xbj6OZdVvte27VfqvJI6VA 43oo05ccsnz4xaQOa19kqi7KNv3mWZd5uBDgV1tF9XIDtSfaNIkGfi2MuWP+GrpYSDKfSY5tk Q8eEGfNpcsGsWVwF7MwiSXtMF6/cdRsLBsp+b91QJ6bRkPqc9SGRZeq7hnKjf5aVzoqrtje8U utar0kj4X+Ft03fCDkAGKhDjcvHiuhpUFphyFH2FYmaO6OAbhJzx+zY79TNXK9TnlgRW7oIR1 OdD98O/rc9ZQbdehiDc4X3Hhdf3IdoJPrFSn8ghmNHOflzguh8gEMypALtsn7tqbYdbKiNkX/ fMc+H/kGwo6TcCj8fOF2NUDUVYoQTafjbO/wCaBksvtG0CDdnbsYCVl2mAURC6CHhSro3zwlX Pffs2OBxgBFEX/Q6tWo2Bn1Vrrc0YuJzEidCWLZRfx/uJvxja1L7u48ZetbZJ+Xnecg7U2lJ8 Kp4jXw4qp+1Vr1MVeY7il1BNkagUhmm/BbctYtv+K4HEJpPsFB6zGl41z+yVFbxowp2jYMby1 yvDaovsoJqiCSjpHLBBDQQovVim8yfcaKtphH20IgZDXd+GXQ+Y3/zKjoaeLRQEsNExGEWTVV FWm5IaosviheH3FaMWYRk1XHz+Sjv8GwYBCmB2HXRJYYDZTOATb7C5IDb1SugTd4h7xrXdQXV +aqYBgRStpX0illLSxZwtSex24rJrLzqXsQmqcP3A89PNX58tH99oDmetMiQzOGWe11UWI9Ik XtWRnVqGF9+7oohkvbVHZaRumsOt2rl4Hsd4ZSgKN4JTJ5ys4Pm+vfarSGdHQrt1AB2sDnoyv b7VX6pX
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KTFaJSyQb0vbpXN02MaKxE602ZQ>
Subject: Re: [CFRG] Re: NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 17:59:40 -0000
_______________________________________________ CFRG mailing list CFRG@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
I'll use the NSA term "CRQC" - Cryptographically-Relevant Quantum Computer. I personally believe (based on my weak understanding of the incomplete scientific data - but understanding that others have probably isn’t much better than mine) that CRQC will be built within the “relevant” (IMHO) time, aka - a matter of a decade or two.
Basically, my reasoning against the Hybrid is that it is useless in the majority of cases. But it adds complexity to processing, and unnecessary ballast.
Here are the possibilities and their relation to the usefulness of the Hybrid approach.
1. CRQC arrived, Classic hold against classic attacks, PQ algorithms hold - Hybrid is useless.2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless.3. CRQC arrived, Classic broken against classic attacks, PQ algorithms hold - Hybrid is useless.4. CRQC arrived, Classic hold against classic attacks, PQ algorithms broken - Hybrid useless.5. CRQC doesn’t arrive, Classic hold against classic attacks, PQ algorithms hold - Hybrid is useless.6. CRQC doesn’t arrive, Classic hold against classic attacks, PQ algorithms broken - Hybrid helps.7. CRQC doesn’t arrive, Classic broken against classic attacks, PQ algorithms hold - Hybrid is useless.8. CRQC doesn’t arrive, Classic broken against classic attacks, PQ algorithms broken - Hybrid is useless.
You can see from the above that Hybrid would be of benefit in only one case out of eight, one I personally consider among the least probable.
Hope this explains my position?
I disagree with your risk analysis.
The main problem is that we can't predict which of these situations we will end up in. Simple enumeration doesn't help.
The main issue is that #6 has already been seen today, multiple times, with algorithms previously expected to hold. That alone should realistically end the argument that we're ready to deploy exclusively PQ today. It's not a safe bet to make ourselves dependent on it in advance.
#5 is the only plausible case where betting on hybrid would be considered a real negative after the fact, and most would complain about performance more than complexity. And I wouldn't bet on #7 happening (even if it does you might pick the wrong candidate).
Practically speaking we're dealing with weighing the more likely outcomes that the specific PQ of choice holds (that's a narrowed version of 1/3, also 5/7) vs a continuation of #6, that it fails while classic algorithms remain working. #8 and #4 (should be both breaks?) are IMHO less likely, I expect to see some kind of surviving asymmetric algorithms in both cases.
#2 still protects against adversaries without quantum computing capabilities.
Hybrid is a hedged bet, and it's a long term bet - data encrypted now can still be relevant in two decades before we even know if a CRQC is plausible at all, but we also don't know which algorithms will survive. Hybrid has a chance of surviving everything but the nightmare scenario, and is the only choice that can substantially reduce unknown risks.
Going single algorithm is not just a bet on CRQC vs none, but additionally a bet on that specific algorithm.
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase