IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Marek Jankowski <mjankowski309@gmail.com> Mon, 01 April 2019 16:01 UTC

Return-Path: <mjankowski309@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F326612030F for <cfrg@ietfa.amsl.com>; Mon, 1 Apr 2019 09:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2bKn3SfLC_I for <cfrg@ietfa.amsl.com>; Mon, 1 Apr 2019 09:01:11 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D3801202E9 for <cfrg@irtf.org>; Mon, 1 Apr 2019 09:00:35 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id c4so8178021ioh.9 for <cfrg@irtf.org>; Mon, 01 Apr 2019 09:00:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o1Zo0e4KUL2DKUB5bgFEEeUvHabXguLSKLKR+yPWA6w=; b=D0RAbXDvoyz8ikFamQ8APC3NL9iw/B1oI1ec87iehVrP7VPE92pckKkw7B7wYooCeU NcaGqSJuQNMmodknskfwXKD2ZRw6Eg9nyPSlNLCHzpBvMWUmrFwoXBdrgwOtFXBDsqMP 57rZ6T6VW3W+RmU0d4FQ6TKfaHfXPUCSvbURUKgcxdBN288rnZmwgASRW8UcyDIciPr1 FGA4z0yKMKnoeTqQSibEitbKBvcIqgnXaHqTt3JB9zhRsdktQZmwwYjuiL/1iv3j5ISU YahbNe2ehpi3WqSawAUZOikQQhVBylYFFDeGWkCb4MwJqsKKGyahsU+sIdWGyrG9spF1 C0gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o1Zo0e4KUL2DKUB5bgFEEeUvHabXguLSKLKR+yPWA6w=; b=kNgCOisPVxPLtyIsO1Lq6e37sZ7AhBj3ADSGyfh1VHlujVuDJVucza2+GWRKZMrksj ChicKoRcqnqkms7I//TXrw8NaB8Z7cvZpaa8UKDl97kE9VmJE5ORjw1ImHjrIQ98Ir15 WjhfOVlXiAQAq8O9FCS9Avrlupn6xSYLPh7WbW83PyPBo9ztMpVWjSSr4xrVyulmgOVB zB469ArgSb4wrSToI+Q0Dm/7oOzuk6j/eNPkpf0pkmrJxTXYUJ6uHjstbHKYDm0AoGLZ odimKbVFvtoyyzJbGZVla3UIvYN8Ag4aGObolKH85HfOSQSp4CNYcDlKksp3mfHddGTY AK4g==
X-Gm-Message-State: APjAAAU/hzyv5CPeTM47PbS4nClU+HqMUfAqZ7SRg8P12O8UD+SjtW9K 9njDE7nMngLA9JBd2KJxwUGVMGds4LoUAAtmYi4=
X-Google-Smtp-Source: APXvYqzqgxpAWOKouxtu7CiDU3pW1alIIjvSMJ9AInoOGcqBNErxklXoAu+S3EcpzMh1pvrIyRNJOCM2LQ88rXQ1ogs=
X-Received: by 2002:a6b:790c:: with SMTP id i12mr30364374iop.265.1554134434650; Mon, 01 Apr 2019 09:00:34 -0700 (PDT)
MIME-Version: 1.0
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu>
In-Reply-To: <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu>
From: Marek Jankowski <mjankowski309@gmail.com>
Date: Mon, 01 Apr 2019 04:50:08 +0200
Message-ID: <CAMCcN7S4F9H-wr-DCHQWK1KcoRMZM6ShW5z14oUz94_ajY8FPw@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: Paterson Kenneth <kenny.paterson@inf.ethz.ch>, "yonezawa@lepidum.co.jp" <yonezawa@lepidum.co.jp>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000e91fb905857a1e90"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RzdPuJ5EsT76PfRc0XICIyix6gk>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 16:01:14 -0000

Dear Uri,

Please allow me to step in and share my opinion regarding developing non
quantum secure schemes.

A. As Mike says, we don't know much about current post-quantum schemes,
even against a classical attacker. Due to their theoretical complexity, it
may take dozens of years to develop considerable trust in such schemes. In
the meantime it is worthwhile to develop (classically-)strong PK schemes
with cryptographic advantages. What I mean is - until PQ schemes are made
secure, we will use classical schemes; I think the capabilities pairings
offer (e.g. IBE, short and aggregateable signatures) are appealing enough
to justify standardization.

B. > data produced in year x-k (encrypted by good and intercepted by bad
players) may still have value in year x, x+1, etc.
I agree; yet, given the choice to encrypt data using a provably
(classically-)secure scheme, and a non proven PQ scheme, I would prefer the
former: we don't know if current PQ schemes may be broken by a classical
computer before year x. Classical computers are available today to millions
of potential bad guys, while even when quantum computers are built, it
makes sense that for some time very few people will have access to one.
It is also worth mentioning that pairing based crypto offers signature
schemes with nice qualities (see the recent I-D by Boneh et al.); for
signatures it is perfectly acceptable to use quantum-vulnerable schemes
today. (But not in year x.)

C. Post quantum crypto is generally much more resource intensive than
classical crypto (including pairings), in both complexity and traffic.
Therefore pairing based cryptography works better for lightweight
processors. Data encrypted by such devices is likely to be irrelevant in
20-30 years after transmission (e.g. IoT, smart cars). So it is OK to use
classical crypto there.

D. Pairings are getting into practical use. Examples are several RFCs
(5091, 6508, 6539, 6509), Cloudflare's GeoKey Manager and more, as listed
in the I-D. The rising popularity strengthens the need for a well thought
out standard/set of standards.

To conclude, I believe that developing PQ crypto and classical PK crypto
should be done in parallel, and not one instead of the other. While using
non quantum secure chemes will threaten one's data once a quantum computer
is built, I think it should not slow down research of new crypto
capabilities.

Regards,
Marek.

On Fri, Mar 29, 2019 at 5:59 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> It doesn’t but we did already discuss that, and good arguments were put
> forth for continuing the work despite this. (See the mail archive, I guess.)
>
> So far I’ve found this (which IMHO doesn't look like a set of good
> arguments):
>
> >  1) Pairing-based crypto threw open the doors to lots of nice new crypto
> possibilities, enabling stuff that we couldn't do before
> >  2) Gradually post-quantum crypto is catching up and demonstrating
> capabilities that mirror some (but not all) of these achievements
> >  3) Post-quantum crypto depends on hard problems that it will take time
> to develop full confidence in, even in regard to attacks from
> non-quantum computers
> >  4) In the meantime (and that could be quite a long time) it makes
> perfect sense to proceed with the development and standardization
> >       of non-quantum safe methods.
> >  5) In the year x out pops a quantum computer. However in the year x-1
> out popped well-developed and well-understood
> >       post-quantum crypto replacements in which we can have complete
> confidence.
>
> Re. (1): sure, it would do great stuff, but for how long? What’s the
> expected lifetime of an algorithm/protocol/approach that would justify
> efforts spent on formalizing, implementing, and deploying it? What
> application field or use case would support it?
>
> Re. (2) and (3): sure, but irrelevant with regard to the main question -
> is it worth developing (for deploying later, as there's an inevitable lag)
> non-quantum-resistant crypto now?
>
> Re. (4): I see no logic in that statement. We don't have full confidence
> in post-quantum hard problems, therefore we should standardize methods that
> we know are not quantum-resistant?
>
> Re. (5): It's only true for data that loses value rapidly. It may work
> for, e.g., throw-away TLS sessions, but not for, e.g., sensitive email. It
> seems to ignore the fact that data produced in year x-k (encrypted by good
> and intercepted by bad players) may still have value in year x, x+1, etc.
>
> I cannot (nor do I want to) tell people what to research or experiment
> with, and what not to. But common sense suggests that systems/algorithms
> that do not offer long-term protection won't see large-scale commercial
> deployment, IRTF draft or not.
>
>
>

v2.23.0 | Report a Bug | By Email