IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 21:22 UTC

Return-Path: <prvs=897035456e=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F09433A03FE for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 13:22:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4dnHA04S08K for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 13:22:41 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B17203A03FA for <cfrg@irtf.org>; Thu, 2 Dec 2021 13:22:41 -0800 (PST)
Received: from LLEX2019-1.mitll.ad.local (llex2019-1.llan.ll.mit.edu [172.25.4.123]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1B2LMdkI357341 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <cfrg@irtf.org>; Thu, 2 Dec 2021 16:22:39 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=nD13zAOX5PpDEfYasnv4ZOXWlEot/EIj1PjdLKsRzjs6vBZIbfjC9+XiB1rtcDsJdlHs4Ftl8gH5mk9X6SffIUOHb20zDvAFx0dJrWboDBOLBuiIvFJI3X7zc6VfGC+etJgUUKoAbOBBY2uZVaY+JqbqsBZLLXl7oAV0a7Pm3HEEp7iJf3VKoBhQe+r5PP5XlBInq5JtIkOnYNKB5peKy9tmKutIpuZX/UhDC3LHiiuqtY5CGTmHl6vuXaliDknpDO6cLe03UqOkQ7salraUb98Utoo1XL2aYWB6Gu7SxxqVGegvqOywU2IGs34dUZewR6ndhA5KJEGkr5wy/Y34Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qTIWidsnk7YAXGnPwuzxJULQtiddFNAMVipi6U0xw7o=; b=xzaCHC3LfwL7xaGXnzsRVhrGGq/n+r7YkKlY5W5vyr25B4sqG2Y/s26e0WP2rdjWcUCd4NvoOwj9nivt1iawxI7nNwLtxQzXcgLSnXa9mZP5/QlNZ7FHcyCxt7MFLKUrJzj7AmsNIvDEEmxmzlrTyEBIKnx4sjVv1voeaEdKi4YGeHJAGiZT3paSO6MoYjnI7AF3RlF3OYUGsfozhPhG4YAq0DEFl9ye3Tmwa2XrZbvjNuQTzMEwEXqBz4VUoY1F2TQ4TPDPm+hdaIlKeIM9TmgSepWwd5GKAom3/G3ZVf/03SiCh8wv9OEk0hgX8GQsXUxMLoUlM5Qfl/NwwDSzRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX16fXW9d+W2Z8cUihngZecK0bMawJon4AgBWL0AD//8Y4gIAAXHOAgAA3pICAAA26gIAAAaGAgAAO4QD//9t4gA==
Date: Thu, 02 Dec 2021 21:22:36 +0000
Message-ID: <76A89A73-C078-4313-8142-FB4B1B5E1A12@ll.mit.edu>
References: <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com> <85373E4C-01FD-4EA2-AD9E-E4058F8A9B21@ll.mit.edu> <CAAt2M1_zbaWsXK7OA8U3FPTM7f5-qgd4UwDFSDVCZRTibWKPzA@mail.gmail.com>
In-Reply-To: <CAAt2M1_zbaWsXK7OA8U3FPTM7f5-qgd4UwDFSDVCZRTibWKPzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3bc27b0d-3aa9-4fb9-26c6-08d9b5d9dca2
x-ms-traffictypediagnostic: BN1P110MB0866:
x-microsoft-antispam-prvs: <BN1P110MB0866F27B0BB331330CF5116990699@BN1P110MB0866.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f2xDlxd06vnP9/iOYyFLJAQvruE5SrWERW6ZYf165XR/97Yyw+RQezTX/zpD9Dwh2OcXsAROBYvPLUQDjSZdkCKTlXql0KjYebnA8Ioqlul/7NkNQIvzA8mmihU/zMeITHpNVnpkTLnusuKBePk6BuZhFGlSZeV662w583rc405bVqrTMSeLKa8skyQK4FRi0QOPUJhrj7czt0EjCS9/vDBur9oXvbU3QBNeYdplPb2yUS4GnQ+g5sNsnO7DaNPD+jkbbSqIDl1Zw+BkT/ZZ4XvJsItun50kkRJ5fQFPknwtlUN2yzQL14RhZlRI1uNj/Md9H51M5Z6QV9C9TR2bJzViPeTA//2bPvIhXDC8Hp/7UJxixPE7Lu5RgbGeJoIIW4zYT3WvDbMJDVBWOIxNqxmzRNM2aE0vwYUiBomApVVmL5/TMX96QZXKacLEJf8d3GfdK7vF2AeQTGXvSD9F1eXz/pxEOCanbAyV/eXcl0YHldkMt2PdyQeGKu4ayweNBPBGD5x7UnrN+6r7ocSQrm57mAmep3qXtseSyV9yUW7LrtlD9V466bqEZWw5Xrocovfz7tM79kNE8PpRyI1letKxKNbRuyWoPdIV66d8ZzAjIkimGc7i8fRCfH9uIcXPjc3iqWd8BvReXV9VA+h+VtOpQqhhfrL8SGAqXVxW1ww=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0612.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(122000001)(99936003)(83380400001)(186003)(66446008)(2906002)(71200400001)(66946007)(33656002)(6486002)(66476007)(6916009)(76116006)(8676002)(66556008)(8936002)(64756008)(38100700002)(26005)(5660300002)(38070700005)(86362001)(498600001)(2616005)(75432002)(6506007)(6512007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vh3kC2lIIUtSHa2pEgy4x1tyD+z9OD20dCAoA367KsP6JgsXjFu7WdYl7W/nShvO8QtIJpEZOqgbjbgutD/V4tx+BAKzsSzJlOVSV7A6w5QJcQCP6+pQhcDunqsJ9ubwLKzG3gV8uiQ31s3GHHCd7A==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3721306955_838481429"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0612.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3bc27b0d-3aa9-4fb9-26c6-08d9b5d9dca2
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 21:22:36.3001 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0866
X-Proofpoint-GUID: pqvYFfbOCUlXyF3_u9rhGjcecZmThf0N
X-Proofpoint-ORIG-GUID: pqvYFfbOCUlXyF3_u9rhGjcecZmThf0N
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-02_14:2021-12-02, 2021-12-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 mlxscore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020133
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LEZrHuDHN-ayLc4KDnf5OkqI2bk>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 21:22:44 -0000

Hybrid *with what* in the past decades? 

 

I’ll constrain myself to Key Agreement algorithms (in some form – i.e., RSA is more of a Key Encapsulation, but…).

 

Given that the following algorithms have been around for at least 25 years: RSA, DH(E) (or El Gamal), ECDH(E), NTRU (published in 1996), I’d expect to see at least some combinations of the above. By 2010, only NTRU was still patented – and patents did not stop people from using RSA and ECC (though IETF – correctly – did not embrace them until their patents expired).

 

The backup algorithm has to plausibly be an actual improvement - historically any lowered confidence in RSA only led to greater key lengths, because that was the option that was understood. Performance issues ruled out most hybrid options and there were no obvious secondary or substitute algorithm (especially due to patent issues). 

 

Respectfully disagree. Performance was fairly comparable, so at worst it would’ve doubled the key exchange duration – probably the same effect as increasing RSA key size. As for obvious secondary or substitute – to me the most obvious choice would be an algorithm from “another” class: if your main algo relies on factoring – pick discrete log-based to back it up, or Lattice-based…

 

PQ algorithms simply haven't had enough cryptoanalysis in the past decades for us to be confident in them, so the value proposition was missing. 

 

I’m asking why the current Classic algorithms have not been paired using the same approach – as they have been around from 10 to 25 years longer than, e.g.,  NTRU. 

 

The point is IMO, what is the reason after all for any PQ algorithm?

It’s all about extremely sensitive applications which 1.) could not even tolerate the extremely low risk that a quantum attack on classical crypto becomes practical and 2.) are willing to tolerate the large penalties.

 

Respectfully disagree on all of the above. (1) I do not consider CRQC to be “extremely low risk” – not for the data that must remain secure for a long time. (2) Some of my applications are pretty sensitive, but they are not able (nor willing) to tolerate large penalties.

 

For such a high security application one MUST really take all available mitigation strategies for even the tiniest identified risk IMHO. For instance, I'd put that as a must for our country's embassy communication.

 

Apparently, this is not how things are designed and deployed. I guess it boils down to how much the designers trust their algorithms – but I challenge you to point me at one instance where for security reasons the application uses a Hybrid approach (even symmetric crypto 😊).



And as there is evidence that there IS a risk with any newly implemented crypto primitive, such a high security application needs everything for being on the safe side.

 

Please define “new”. AES (symmetric, granted) is “newer” than NTRU .



Putting it the other way round. Any actual application that does not need to bother about the risk coming with the newer PQ algorithms could stick with classical crypto, IMHO, and help saving our planet's resources by consuming less energy.

 

First, it looks like Lattice-based crypto consumes much less energy than classical, so dropping 3-4 Kb RSA keys would be helpful to save energy. Second – who says that a 70-year-old algorithm is stronger than 25-years-old? Finally, risk is not an absolute static value – it’s the output of an evaluation. I “bother about the risk” very much – but not blindly grasping at whatever’s available (mean no offense or insult). 

And you still did not answer my question: if an “extremely sensitive” applications (in your opinion) cannot rely on one algorithm that’s “only” 20-25 years old – why didn’t people embrace this approach in 1990-ties (ECC + RSA), or 2005-ish (ECC + RSA or NTRU or such), etc. etc.?

 

Den tors 2 dec. 2021 18:40Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> skrev:

Following your logic, why haven’t we been using Hybrid approach for the last two decades? Are we that confident in infallibility of RSA or ECDH(E)?

Regards,

Uri

v2.46.0 | Report a Bug | By Email | System Status