IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 01 April 2019 21:44 UTC

Return-Path: <prvs=9994972d99=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22FEF12018F for <cfrg@ietfa.amsl.com>; Mon, 1 Apr 2019 14:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ico5haKCz3XP for <cfrg@ietfa.amsl.com>; Mon, 1 Apr 2019 14:44:54 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7DA12000E for <cfrg@irtf.org>; Mon, 1 Apr 2019 14:44:54 -0700 (PDT)
Received: from LLE2K16-MBX01.mitll.ad.local (LLE2K16-MBX01.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTP id x31LiqZ1042189; Mon, 1 Apr 2019 17:44:52 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Brown <danibrown@blackberry.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Thread-Index: AQHU2YhP7WSRj7kLJk6h4vQXxVMdaKYLg1EAgAA63ACABtxrAIACXiwAgAwGegCAAD6YAP//creAgADJWQCAAabZAP//zcOAgAUTdQD///M9gA==
Date: Mon, 01 Apr 2019 21:44:51 +0000
Message-ID: <3CB8354C-0DC2-450E-84E0-66A30DAD9A26@ll.mit.edu>
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
x-originating-ip: [172.25.1.90]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3636985491_1405721672"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-01_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904010139
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MMuL4wESY3WGf613NWAiJUY60B8>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 21:44:58 -0000

On 4/1/19, 2:30 PM, "Dan Brown" <danibrown@blackberry.com> wrote:

    > The topic of non-PQ crypto's value applies to other CFRG drafts, such as PAKEs, VRFs, Oblivious functions, etc., so maybe this discussion should be taken outside this thread?

+1
    
    > Non-PQ crypto still seems worthwhile to me, mainly because I estimate the chance of a practical
   > ECC-breaking quantum computer to be low, e.g. 2^(-10),

I don't know enough to agree or argue with your estimation. Would you mind explaining the reasons behind it?

   > ...yet still high enough to warrant a hybrid of PQ and non-PQ crypto, e.g. McEliece + ECC. (See further below.)
    
+1. Hybrid approach is probably it. Depending on what kind of performance we'd get from pure PQC compared to hybrid, and whether hybrid would preserve the non-PQ capabilities while raising the bar for quantum-based attacks.

    >> -----Original Message-----
    >> Re. (2) and (3): sure, but irrelevant with regard to the main question - is it
    >> worth developing (for deploying later, as there's an inevitable lag) non-
    >> quantum-resistant crypto now?
    >
    > It would be smart to answer these types questions with quantified support, but all I
    > get so far is the naïve estimates below. (Presumably, experts have already documented
    > more sophisticated reasoning, maybe see ia.cr/2015/1018).

I do not understand the ECC-related reasoning in that paper by Koblitz and Menezes. Perhaps you can explain it for me? What I read there is: "NSA backdoored EC-DRBG, but they could not break ECC. Therefore, despite themselves promoting ECC and defining it as their mandatory standard, they are now trying to get people off ECC and onto something weaker, using Quantum threat as a prod". 
    
   > For simplicity, consider any crypto as broken or not (at some attack cost and success rate), and then 
   > compare 3 alteratnives: ECC, McEliece (McC), and their hybrid (in the strongest link sense)....

I personally would prefer Isogenies-based approach, otherwise we're probably on the same page.

v2.23.0 | Report a Bug | By Email