IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 06 December 2021 14:21 UTC

Return-Path: <prvs=89745c442d=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45E863A07BC for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 06:21:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJ6l3Yf4n25I for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 06:21:12 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB48A3A0886 for <cfrg@irtf.org>; Mon, 6 Dec 2021 06:21:09 -0800 (PST)
Received: from LLEX2019-1.mitll.ad.local (llex2019-1.llan.ll.mit.edu [172.25.4.123]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1B6EL4Ik414871 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 6 Dec 2021 09:21:06 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=unJTThD1emOM+dxMh+ccESLWKBw59y+9pZjGHMMv0T87Ymg0Ned9wV2F04OkE8/dci1bHkJHh8cEXy1okteeIehsYM/x5Q1Ar/+EhWst5amX8wjLgCWpvbYkMO2OI2HpJh6MtTUkHPkZbPcF2jKDycYE3toFIWgFvrP80DpVYTTFq+SYxYC/AHYrUUbl94BdHOV1x7D98OJoI92O8SBd0WTybSKGi3y2P9SYOL3z1LSoWaq3yNKbgPiynii3oxYIE8/FvxRef26ZgBhxqo0VcoLQC8IUhlHenBrsgf+8vlsIKA+isqGLlyYKfDRDZQ9GG39FGKgh+ylHlsyuzYisSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Hoxek7F3YCYOilBNFiZpFNjOYQeJPIg2cvXTsI0xWfo=; b=MKj/c96xXGFX1vL/vmTmaH01AMXGn5t5j7MibfvVgklOia9Hr2EX2d4nyLpcEVmI8XuWZnnksG1eKTXPb5T8SWWTcUgQfIl1BXKfA6pfDlNdHB50dkrhlbiIhRurBzthjqGQNvxrJsyKEhXolZmVDn7Y5Gz6D9xWifEg+CJQOkuRO036tY6/6NZ/6+uLlzc6EnFmXmjhAy4J9MkF36hY11sOlb9GZ+H92btbVvZyHVDQaGinPZqfXoBJD644DKoldg/2Mn5C+B7X8oh2e2GKBax+mOhuJPRkFvq4Sa/fTB3f3wGIDUq2f2xpmoLKxRPg2dd6hKD8bOOvPo2lJYy0wQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX6mqTmmFwtAfRLkuOflRnPLbMUKwlMFiA
Date: Mon, 06 Dec 2021 14:21:03 +0000
Message-ID: <94EB618C-0F35-44D8-90CD-1E00EB0A0ABC@ll.mit.edu>
References: <DM8PR11MB573606AC6314879B1B2D36FA9F6B9@DM8PR11MB5736.namprd11.prod.outlook.com> <CAMm+Lwj52XL0SSr_isbcGjsYRf40NhUK4bmNNSOfunw2KV0x8Q@mail.gmail.com>
In-Reply-To: <CAMm+Lwj52XL0SSr_isbcGjsYRf40NhUK4bmNNSOfunw2KV0x8Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 36f58246-55fc-4e9c-64c0-08d9b8c3a2dc
x-ms-traffictypediagnostic: CY1P110MB0645:
x-microsoft-antispam-prvs: <CY1P110MB064540ABCA3C48A9EA9EDD84906D9@CY1P110MB0645.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DSrkRVjBConG2h9K7DmI4McYOPbzg59eGSfDT+5YzSNarzcDwcWvXJ089YE8yNYyrwjEaQmE6v/7Q+cqBZceFAJJl/L/4nEvEVY9tPJ4iLOZwpWgY8LOkL6cLOcQsmGmmZ0qbPpN8o5wPwvOSaka4LRYeNcO2Lt5Oy190bKiyNRlYTOYacfU8iYg7iaah4ULsSn+KchUd0pAEaGzlTBExZWmzSa4gpYfJEqhoYTaWwC7oJVSGh2sXmHnAnqTR3anAaXI2sV46P7tbubwyas7EMR17zfIzSfZBQgKmxvSuf/8+VL540fZPiuvN6FGEilAxUJWPhkdr2yBKSUJrDKZE6myHVN2LZzmtI6d/ZFUFGdRwuB+qG6fyHDUsaUjvWZT7+oIh7GphhMTkUuSh+7YbUUc/7SxANNVoMBRU9tmEqFl1rjdA4kJUpYRH2mLQUd8xH7UDUSSUmdVzYWUcYaaOfPb5C0vHI6G5jRvbbqywG0ukzdexWiIdHq9twJk2DzodQaSN6UXh56IRnBKdRWOlzYMsPeE7L6d9bBCMS+bZBQGTg6sZfAKp1KpOs31qadHnmg8lL6RTyZHgrOtoA4juJ680VK2dGpCTHC5BbIIPtiuzDFKKWI1ATqDxcykoSHGXEKSJaxZ5nug0JkjswtWeZZ1GcSWM7FTkLvu55HkUTefOWUpxMheVuzKXVo/kRXT2oCDCQm02GX3zbkWZYFLpAfH6Ml31UvdoluMf/dIF+goAsJKQkoJ/JZxVcbP4hCi
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(86362001)(8676002)(122000001)(6916009)(38100700002)(8936002)(2616005)(4326008)(75432002)(6486002)(26005)(83380400001)(71200400001)(2906002)(99936003)(166002)(498600001)(53546011)(6506007)(5660300002)(33656002)(66556008)(64756008)(6512007)(966005)(76116006)(66574015)(66446008)(186003)(66946007)(66476007)(38070700005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iAZk2bXK+3bt6XmBjdEZDGMtvyf//MDXTEbPdsNqxcscl3bbdkWYdaWluN8mQ2Yah+O7Urk6nmSrisY0Y4xc24BUfJ1RWn2UNXLTV6TJK5Ew4vHny8htKx0LXTbjvylhjYnCzLRO9TTrF8fp6/Hwxg==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3721627263_1252539315"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 36f58246-55fc-4e9c-64c0-08d9b8c3a2dc
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2021 14:21:03.8313 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0645
X-Proofpoint-GUID: 3l50uiisZto2JoWLs-0xiyKjJ0hzADMf
X-Proofpoint-ORIG-GUID: 3l50uiisZto2JoWLs-0xiyKjJ0hzADMf
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-06_03:2021-12-06, 2021-12-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 bulkscore=0 mlxscore=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112060089
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/U485UFjIKBuNMj5fYa3OgLohYuY>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 14:21:17 -0000

> The other point to consider is that the WebPKI only needs signatures and there are other,

> simpler ways to achieve PQC hardening. 

 

I’m not sure I follow. 

In my understanding, PQ hardening (especially for signatures) requires using PQ algorithms – what other ways are there?

 

> We could heavily modify Certificate Transparency for instance.

 

How would that help…?

 

 

 

 

On Sat, Dec 4, 2021 at 3:33 PM Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:

Responding to a few different branches of this thread:

> "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sat, 13 November 2021 18:50 UTC
> One complication that certificates have over KEMs (in the context of TLS) is that there are more parties involved.

In addition to what Scott mentioned, there is also multiple layers of standards bodies involved. A bit of a squinty view:

1. CFRG will make cryptographic recommendations.
2. LAMPS will implement these recommendations for PKI and S/MIME.
3. CA/Browser Forum will make these new algs and cert types legal for publicly-trusted CAs.
4. Root keygen ceremonies need to happen under the newly-minted CA/B rules.
5. New root certs need to get included in browser trust stores.

Only then can we start actually using them. These are sequential steps that could take 1 - 2 years each. By my reckoning, if we start now, we have a 5 - 10 year road until we can actually use this on the web. I haven't even considered FIPS or HSM development lead times here...




> "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 16:45 UTC
> Here are the possibilities and their relation to the usefulness of the Hybrid approach.
>1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless.
>2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless.
>3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless.
>4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms broken - Hybrid useless.
>5. CRQC doesn't arrive, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless.
>6. CRQC doesn't arrive, Classic hold against classic attacks,  PQ algorithms broken - Hybrid helps.
>7. CRQC doesn't arrive, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless.
>8. CRQC doesn't arrive, Classic broken against classic attacks,  PQ algorithms broken - Hybrid is useless.
>You can see from the above that Hybrid would be of benefit in only one case out of eight, one I personally consider among the least probable.


IMO the one thing we *do know* is that PQ crypto libs will have implementation bugs, which means we *will* have to contend with case 6, at least transitively. Which, given your language, gives us a 100% chance that hybrid helps :)



> "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 21:22 UTC
> I'm asking why the current Classic algorithms have not been paired using the same approach - as they have been around from 10 to 25 years longer than, e.g.,  NTRU.

Let's say this reasoning is correct; let's say that in retrospect we should have layered new ECC implementations with RSA for some transition period, isn't that more reason to develop hybrid mechanisms now so that they are available the next time we need to transition from an old battle-tested thing to a newer thing?

---
Mike Ounsworth
Software Security Architect, Entrust

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email