IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

John Mattsson <john.mattsson@ericsson.com> Wed, 03 April 2019 18:25 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0AE120155 for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 11:25:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEJFi8CiAmBp for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 11:25:13 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130049.outbound.protection.outlook.com [40.107.13.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CED012006B for <cfrg@irtf.org>; Wed, 3 Apr 2019 11:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=82PY1w6k2KD46LPbNiQcLFyc9jxCBsGipVZPvqqQr1g=; b=jthqkIMTy9pNMvVdimsUVOj4WUzfS7RqWuNbA/9fcbT4c8vnCcrKngniWUDPOplGS4r4kWa0T/bP9R2jNaYSTs3QsrfiqdsbzpAYywpNUPwcklVKAfXN75Ir2BmTVlDBzpluuGIFa1ouLMfeSsyO5/1eKNhfRc8dRy66IOVeIe4=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3514.eurprd07.prod.outlook.com (10.170.247.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.8; Wed, 3 Apr 2019 18:25:05 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc%5]) with mapi id 15.20.1771.007; Wed, 3 Apr 2019 18:25:05 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Watson Ladd <watsonbladd@gmail.com>
CC: cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Thread-Index: AQHU2YhBGfWa2IsmhkK9FZBbbKhWNaYLQEMAgAA63ACABtxrAIACXiwAgAwGegCAAD6YAP//creAgAEMZwCAAWPLAIAAENIAgATQZgCAACXQAIAADd+AgAA7tACAADfYAIAAHp6AgACbeYCAAIwWAIAAwV6AgAA3rgCAAAHRAIAAAQEAgAAd24CAAD2JAA==
Date: Wed, 03 Apr 2019 18:25:05 +0000
Message-ID: <173CA957-F943-41B4-8333-A64822B729DA@ericsson.com>
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net> <B79CBA86-3C81-4973-84C2-7DAD7B659CB4@ericsson.com> <CADPMZDCHgsP6=ssJymeoq7RP1eshWf4zk+N9Cf1DY-fk+ntCgA@mail.gmail.com> <1554167337418.62603@cs.auckland.ac.nz> <1A5915E5-E50A-426E-B8F5-6CCCA47AB392@ll.mit.edu> <1554185903715.11087@cs.auckland.ac.nz> <86950110-c278-31d2-ae3e-a2485d0243ed@web.de> <1554249372811.54517@cs.auckland.ac.nz> <CAND9ES1a8SrTuk+8yDJQMOUfGRyY+VNbPGM6m1NFo0v2m9oavw@mail.gmail.com> <CACsn0ck5_HgQ+esaNYUk3h0oghBEqxizR3kV9bHOfVSoWuvS+w@mail.gmail.com> <05E673A9-7CC0-47C9-9EDD-B56FE89246EC@ll.mit.edu> <CACsn0cngZoAjKJ4vn_QktktcfGvFRit7NvsmdJfCnKNuQWcvZg@mail.gmail.com> <8E43BBDA-BB3C-47FD-91CE-81EFAA3641B5@ll.mit.edu>
In-Reply-To: <8E43BBDA-BB3C-47FD-91CE-81EFAA3641B5@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fd14130b-76ae-47dc-9d76-08d6b861b1db
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:HE1PR07MB3514;
x-ms-traffictypediagnostic: HE1PR07MB3514:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB3514A466F3331A8130B5F18589570@HE1PR07MB3514.eurprd07.prod.outlook.com>
x-forefront-prvs: 0996D1900D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(346002)(396003)(136003)(376002)(199004)(189003)(13464003)(71190400001)(8936002)(478600001)(7736002)(105586002)(11346002)(186003)(3846002)(6116002)(66066001)(486006)(68736007)(106356001)(5660300002)(966005)(82746002)(33656002)(2616005)(97736004)(53936002)(99286004)(446003)(2906002)(44832011)(76176011)(476003)(14444005)(256004)(2171002)(110136005)(6486002)(8676002)(81166006)(83716004)(86362001)(6246003)(53546011)(14454004)(26005)(6506007)(6436002)(4326008)(316002)(229853002)(102836004)(58126008)(81156014)(71200400001)(36756003)(93886005)(6512007)(25786009)(6306002)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3514; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: z2tQ6c0R/QfLQHmTZntCCXRBHxTBlkrqOukse77ATiotIlDxUq8vy7um2rHIWttieOKGZwOPNOld1V3vcx9CKhTBpK4MhoTlrtVCU4GOKLTwyTuBp3nGyZQ8Jm1fcexhTJPzkMLQ95TxBeG8fZwvRpSm454dreKzQYTB2WM3n3nqjgcUyqFFLnCJLDR9ntz2/advVB8Ti6UjVL6G962S/Z0u4mQdgCJm5T/iOllPwiTSd2SzK0PSZnJVv+1Z1G+Kqkb22DiBO3KPbRiU2dMKslpAAJEMTiSdo5KgNOUP2cSHqWAjDtNSMYyF88JIFYmnqnw1vSg8LNLGrK7+rGGCVnrRwmzLzwVrASjPshGDKsfnwuZPIy7Jnn03Pv2Xmtur25hDuI3+vFeap2uxpU40RO21d3qnntqOeAdprzeF7fI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <44636BA8D8F381468804598C96B4AE0D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fd14130b-76ae-47dc-9d76-08d6b861b1db
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2019 18:25:05.3111 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3514
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Ogk6O8wOoRsKCHpiIFeKoK3b2is>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 18:25:16 -0000

The US Suite B were, and the CNSA suite are, approved to protect information up to the TOP SECRET level. Such information is to my knowledge often protected for 50 years, in extraordinary case for 75 years, and after special permission for more than 75 years.

That NSA is not planning to require US governments to use of PQC before 2022/2024 would suggest that they do not expect quantum computers capable of breaking P-384 and RSA-3072 to be available to any foreign government before 2024 + 50/75 years... 

Looking how e.g. the PKI industry has acted in the past with e.g. RSA-1024 and SHA-1, my prediction is that many deployments  will continue to use non-PQC until someone has built or is very close to building a quantum computer capable of breaking current ECC and RSA....  

-----Original Message-----
From: Cfrg <cfrg-bounces@irtf.org> on behalf of "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Date: Wednesday, 3 April 2019 at 18:45
To: Watson Ladd <watsonbladd@gmail.com>
Cc: cfrg <cfrg@irtf.org>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

    On 4/3/19, 10:59 AM, "Watson Ladd" <watsonbladd@gmail.com> wrote:
        > On Wed, Apr 3, 2019 at 7:54 AM Blumenthal, Uri - 0553 - MITLL
        > <uri@ll.mit.edu> wrote:
        >>
        >> In short, the problem is that one group of people accepts the risks for another group of people.
        >>
        >> As one of back officials said in a private discussion: "Your risk is always lower than our cost."
        >
        > If you don't like these protocols, don't use them. 
    
    This approach would work just fine for protocols and algorithms like PGP. This would absolutely not work for protocols like TLS. I leave it for you to figure why.
    
        > I really do not understand the issue here:
    
    I can see that. ;-)
    
        > ...pairings provide all sorts of efficiencies
        > and nice protocols that we cannot get other ways.
    
    That is true, and nobody is disputing it.
    
        > The argument that
        > now we need to stop doing some kinds of cryptography because in some
        > as of yet unknown timeframe quantum computers will break all the
        > schemes (ignoring the difference between authentication and
        > encryption) made as much sense in 1996 as it does today.
        > And yet today it is problem but was not in 1996?
    
    Some people tend to think that now, in 2019, the threat to crypto by quantum computers is much closer to reality than it was 23 years ago (to remind, DES was deployed with expectation of 15 years of life). 
    
    They think that since sensitive data tends to "maintain its value, the time for designing new non-quantum-resistant algorithms is coming to an end. Because when you factor in (no pun intended :) the time for commercial implementation and deployment, what's left for the actual use of the algorithm would be too short to justify the effort spent on it.
    
    Other people tend to think that there's no way quantum computers could become a threat in the near/foreseeable future (10-20-30 years, some say 50+, whatever).
    
    Yet others say "yeah, maybe - but due to the cost etc. of such devices, the risk applies mainly to high-level government communications, the majority of the population would still be safe for a long time even after these devices are actually made."
    
    Which camp got it right?
    
        > TLS 1.3 does not have any post-quantum ciphersuites. 
    
    For TLS the update is trivially simple - though you probably saw for yourself that even such a simple thing takes huge time and effort to deploy the fix/update to the majority. We'll probably see PQ ciphersuites after NIST PQC competition concludes. Google has been experimenting with PQ algorithms/protocols for a couple of years now, if not longer. 
    
    This still doesn't deal with the "golden oldies" - valuable data secured with the old stuff...
    
        > The answer here is a good security considerations section.
    
    For a nerd deciding what to play with - sure. For a consumer who uses whatever's provided to connect to his account at Amazon/Deutsche Bank/etc. - hardly.
    
    P.S. You used to express opinion that developers screw up implementations even when guiding documents are pretty decent. What made you change your mind? ;-)
    
    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email