IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 16:45 UTC

Return-Path: <prvs=897035456e=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC733A1200 for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 08:45:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATb9Lh4PgzgH for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 08:45:17 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61E53A11FE for <cfrg@irtf.org>; Thu, 2 Dec 2021 08:45:16 -0800 (PST)
Received: from LLEX2019-1.mitll.ad.local (llex2019-1.llan.ll.mit.edu [172.25.4.123]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1B2GjC7K089355 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 2 Dec 2021 11:45:12 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Reh2nICDkbXUI6P/F18kwKrWf3jt0BfiP6GbouWoWN45MVPv1izjHgtz5DDt6Es7JvUpI23emh0lNBFsfYApBUocq2iimQRq5udSZwkjVxfWGFm9hIv4r8RAa823tyxzYUI977QcRSw2wMY20wdy+1vRwati6TinSVS/XfjzW9CyrLW+FhFgrKGLKsMOE17MECg5M9Gz9wqpzBFZ+CTRq5kp2OQHRZQnEFAHxqamZWyAEzB8HAAAd/3Eo40z2jgkTH5MTJCpOv88lcuPj6qjJvdhHMFYViXR5dDw9mUabpU/afosNFWyd0GQd+LI4c+0O3wD4ZtzSB9Knszjutr4qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JI8eojvyKNZaMw/NhODuReggJksA91AZv5FtciVG2Kw=; b=BgBPqslc7SYMt9SNpOWiM7AZZgX1fC0IV+R7Uh1wiuWexFqOjjIGQIyrUgfYUFDVzAbW2aIykkPoZVd79emjbzEdGcPzNmq+8GCpDB13KtZcs+7bnpXxPL8MwsGOltPopWhYUI0fGsTd/gsOEvObV44jSyV5tAsCj5p28r7WfPeq5+1sLzEFD9vtkfZnG3Xw/9zdtCFocEpwBj5z4y/JV9caJbaWzHCqhTFjJOVhjV7G+p3Wueb8tP3gXV2OPe53GW2yOMFVIYIzxPqKY+0fUtWLqr6y3YXWet0YSqRHVkK+3i8erNucS+XbsRBS6U0Glghqs+D6aNdl4SE4xsGbHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Soatok Dreamseeker <soatok.dhole@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX16fXW9d+W2Z8cUihngZecK0bMawJon4AgBWL0AD//8Y4gIAAXHOAgAA3pIA=
Date: Thu, 02 Dec 2021 16:45:10 +0000
Message-ID: <3BEDD03E-9545-4DA1-8845-B7CA3414862C@ll.mit.edu>
References: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com>
In-Reply-To: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c80530e5-448c-4acc-9b42-08d9b5b31ae3
x-ms-traffictypediagnostic: CY1P110MB0789:
x-microsoft-antispam-prvs: <CY1P110MB07893FFDA126958D8D4244A390699@CY1P110MB0789.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DsAiYFZdLkkfRTgm2mOnfd9qdei1Ri8mFp8SGHcbaSO797DJigZIt97lz91vXJYt98vrCY3v4hzjxmH882ntaPtSap6rtAkuSaxqpXli31sLR9Ufux8Z0FGZSUTE8L2Vkk/wWAZFibS1AFOjywkyxcX/cMfrA4MCAgDe9KR0PcU9LNvtkyvc8a0XTLe0VyQMFwzUo+H/F/cwEpV3/MoT8JtCf3ny5n16+PWGwYV7BleiEoaD9YEzZS42N7A+jZDoX6lFtkuDc+Ht3ejypjjAK+6m9PbYGg+oNI8BwuYr6X5zCAar2dHEb1YlejTWKsYEFlvyWjd5pum7s/XlLj3cdzHS8pL6h16XXON4tc1K0/7/pfQkqmx8/wuKfzZ+Me4likLojLGAOq3Tnk7cHp1agSWoXDhB5TlS1HD5K1G2ppfuB60n5LxtQFwWANiIDzroko1ZPDWvHHEXJh4WHfGxxYruwsJFGcWy4gkEOINnfmwBA1jWjsTzaXeDp6dF2O6ptjxHugESagHTHp+BSTROoYTgmsltHlwUnmhZZm3vg7D+PtCtKvonxOlMIL6aOGWfW0h/qPth7F2tQ6d6auqXh4fEvseDBIe+d/MpiadOdlLpIHhqebaZlbFpEUxfxGUQlMxTAvtywSSMWFWTsbDDvUrvF3BP1qfWbaLwoI4fvNlq31AItzlbgmZZq4pwwXt3+pq9+6VtJ2HHX4tQ19Zt6slfJQI/5qEaOy+8KzE1N+8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(122000001)(2906002)(186003)(66946007)(99936003)(66556008)(66476007)(64756008)(66446008)(6486002)(76116006)(86362001)(6916009)(75432002)(33656002)(38070700005)(8936002)(498600001)(2616005)(71200400001)(6506007)(53546011)(4326008)(166002)(5660300002)(966005)(83380400001)(6512007)(8676002)(45980500001); DIR:OUT; SFP:1102;
Content-Type: multipart/signed; boundary="Apple-Mail-6A93C6C2-0814-4AF1-8E0C-BABEBA8208D3"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c80530e5-448c-4acc-9b42-08d9b5b31ae3
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 16:45:10.3154 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0789
X-Proofpoint-GUID: ehgQzoT7rMCyxwKybwAMEGJg1clXl8sy
X-Proofpoint-ORIG-GUID: ehgQzoT7rMCyxwKybwAMEGJg1clXl8sy
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-02_10:2021-12-02, 2021-12-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 mlxscore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020109
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Kp_xKCCD6pPbAy2-lH1ygOMq4Y4>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 16:45:22 -0000

I'll use the NSA term "CRQC" - Cryptographically-Relevant Quantum Computer. I personally believe (based on my weak understanding of the incomplete scientific data - but understanding  that others have probably isn’t much better than mine) that CRQC will be built within the “relevant” (IMHO) time, aka - a matter of a decade or two. 

Basically, my reasoning against the Hybrid is that it is useless in the majority of cases. But it adds complexity to processing, and unnecessary ballast. 

Here are the possibilities and their relation to the usefulness of the Hybrid approach.

1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless. 
3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms broken - Hybrid useless. 
5. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
6. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms broken - Hybrid helps. 
7. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
8. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms broken - Hybrid is useless. 

You can see from the above that Hybrid would be of benefit in only one case out of eight, one I personally consider among the least probable. 

Hope this explains my position?

Regards,
Uri 

> On Dec 2, 2021, at 08:27, Soatok Dreamseeker <soatok.dhole@gmail.com> wrote:
> 
> 
> Hi Uri,
> 
>> On Thu, Dec 2, 2021 at 7:55 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
>> NIST did not invent the finalists – some of them have more than two decades of research behind them. Situation looks comparable to that with RSA and ECC when those algorithms were brought into standards.
>> 
>>  
>> 
>> Thus, I do not support the Hybrid approach.
>> 
>> --
>> 
>> Regards,
>> 
>> Uri
>> 
>>  
>> 
>> There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
>> 
>> The other is to make it so complex there are no obvious deficiencies.
>> 
>>                                                                                                                                      -  C. A. R. Hoare
>> 
>>  
>> 
>>  
>> 
>> From: CFRG <cfrg-bounces@irtf.org> on behalf of Marek Jankowski <mjankowski309@gmail.com>
>> Date: Thursday, December 2, 2021 at 06:23
>> To: Dan Brown <danibrown@blackberry.com>
>> Cc: CFRG <cfrg@irtf.org>, "D. J. Bernstein" <djb@cr.yp.to>
>> Subject: Re: [CFRG] NSA vs. hybrid
>> 
>>  
>> 
>> Joining Dan, I too believe that the vetting of PQC algorithms should originate in a public process, and that NIST has not yet proven we should rely on the finalists alone. I find it important that CFRG advise upon hybridization both in KEMs and signatures, although I don't have a strong opinion in the composite vs multi-certs debate.
>> In the same context, I worry that not having a FIPS standard for Ed25519, the result of FIPS 186-5's publication being delayed, might cause a delay in adoption of PQ+EC hybrid signatures. CFRG should address this issue and take a proactive stance towards NIST by engaging in discussions regarding the publication of FIPS 186-5 as well as PQC and hybrid standards later on.
>> 
>> Best regards,
>> Marek
>> 
>>  
>> 
>> On Thu, Nov 18, 2021 at 7:20 PM Dan Brown <danibrown@blackberry.com> wrote:
>> 
>> > D. J. Bernstein wrote (on Friday, November 12, 2021 4:28 AM)
>> >  ...
>> > I would like to see CFRG instead advising integration of ECC into all post-
>> > quantum deployments for the foreseeable future. There's no reason that this
>> > advice has to wait for NISTPQC standards.
>> > ...
>> 
>> I largely agree with the point above (as some might recall from my past CFRG 
>> messages).
>> 
>> Hybrid cryptography in IETF ought to be encouraged by CFRG. At minimum, hybrid 
>> ought to be an option for sensitive applications (high-value data, needing 
>> long-term protection), where the cost seems worth the benefit.  As an 
>> exception, an IETF WG with low-value, short-term data and little budget for 
>> cryptography, might opt for a single non-hybrid PQC algorithm option.
>> 
>> Real-time authentication (e.g., signature-based server authentication in TLS), 
>> might have less risk than other applications (e.g., TLS key exchange), because 
>> new attacks discovered in the future (e.g., relevant quantum computer) cannot 
>> retroactively break today's real-time authentication. Nonetheless, hybrid
>> signatures may still be worth the cost?
>> 
>> For certificate structuring, I don't know which is better: (1) certificates 
>> with hybrid-signatures, or (2) multiple certificates with a single-algorithm 
>> signatures (or (3)=(1)+(2)), but CFRG could contribute significantly to a 
>> recommendation on this issue (e.g. comments already made in this thread). 
>> Perhaps CFRG should defer this more protocol-specific detail to LAMPS?
>> 
>> Organizationally, NIST and IETF could continue to have some interoperable 
>> cryptography options, while working independently on non-interoperable 
>> cryptography options (i.e., hybrid interoperability ;).
>> 
>> Best regards,
>> 
>> Dan
>> 
>> PS. A simplistic cost-benefit approach to choosing hybrid cryptography:
>> https://eprint.iacr.org/2021/608
>> Better methods ought to be possible.   A discussion on this at
>> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OpFVbuMYk8c
>> 
>> 
>> ----------------------------------------------------------------------
>> This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>> 
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> Thanks for sharing. Could you elaborate more on why you do not support the Hybrid approach? You said "Thus, I do not support the Hybrid approach" but did not establish a predicate for this conclusion.
> 
> Thank you,
> Soatok

v2.23.0 | Report a Bug | By Email