IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

William Whyte <wwhyte@onboardsecurity.com> Wed, 03 April 2019 11:28 UTC

Return-Path: <wwhyte@onboardsecurity.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE041200D5 for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 04:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=onboardsecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81JAIDm9sRJm for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 04:28:49 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9F81200B7 for <cfrg@irtf.org>; Wed, 3 Apr 2019 04:28:49 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id e6so3822186pgc.4 for <cfrg@irtf.org>; Wed, 03 Apr 2019 04:28:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onboardsecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FZ/jpA5igvPJ9ddoVDqwzzu7j0AOc8apkxbZi53eHVk=; b=J7nhml4r5fO7QUE5nbVcrUv1neZmnoGlo2LVqZCBL/79CsiG6HnRplu5MssspKYgc1 vyna3/uYhuwTjRFxnSuOvzEV2pnr0QiLcbNypqOxhKBapTjWTYOmTgknfVR0uUe5T2tR SVCEZvqz5mWMfGjqGAmba0O9FT2IiLJjzsHT2itIZtE7iV2INXPtmW4NRHFclDtDh4Xj 665gqzSlyO8Xg0dEhHPrhxyOPe/fWCjt9oejgat87xCKCz2DaGqyv9N54z0tfwMDvXlD p5egEK1Fw8xDPa8v0VovYlN3kcOnpfbKpfTrI3oY+wJkHrvefBmGb9at46rCMyaL9iGN UZhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FZ/jpA5igvPJ9ddoVDqwzzu7j0AOc8apkxbZi53eHVk=; b=nWLS7lP9hidHt9JGeJwHoz8DISUVk6nmZb5XwhHGd/MwNiWGDkCuNVXyVqvwtzxAK7 mXtxqvNzW4JbMJvvGVssPrDdx3k37o7tyKX7cIXemp/XmM8n4+4J4Xf2rK4Al9lqDZ4t eLOcd/PLbyPoKd2AeFBdV23So1Cx0oCReZYKZRvYVi+A43g91dMMQtuxyLKjrjJdpVUg R84OWfx4eYnMSnua9H938nJmKa80TSMaZ1CLmj4fP3cDM6+v2UPvWzBTi92dgZ8f8+bF O9SQEQWfcUyGcv79eoOIjNLVOQbRyzG80Sd6AcDR8n4ev95w/0aYtd8JgwFzJXLJcBVy qmdg==
X-Gm-Message-State: APjAAAXpiRdN1eoHSFg0OXyVIDGuBE8qZUVSdV++8umAfyPdTMIiWBTR H+CSntUXF30fNQ/OObXfr6JN86qYbb7UNGcqu/sVDg==
X-Google-Smtp-Source: APXvYqxbYgU0r8cUgxEXD4hm0heBcwBUwbVQ+ZCXtcc3f2UbTZau4Lwe9k+nofr0WrGQ7xfA48V9JqUHqrWIzs9FM1U=
X-Received: by 2002:a62:571b:: with SMTP id l27mr47029319pfb.195.1554290928131; Wed, 03 Apr 2019 04:28:48 -0700 (PDT)
MIME-Version: 1.0
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net> <B79CBA86-3C81-4973-84C2-7DAD7B659CB4@ericsson.com> <CADPMZDCHgsP6=ssJymeoq7RP1eshWf4zk+N9Cf1DY-fk+ntCgA@mail.gmail.com> <1554167337418.62603@cs.auckland.ac.nz> <1A5915E5-E50A-426E-B8F5-6CCCA47AB392@ll.mit.edu> <1554185903715.11087@cs.auckland.ac.nz> <86950110-c278-31d2-ae3e-a2485d0243ed@web.de> <1554249372811.54517@cs.auckland.ac.nz>
In-Reply-To: <1554249372811.54517@cs.auckland.ac.nz>
From: William Whyte <wwhyte@onboardsecurity.com>
Date: Wed, 03 Apr 2019 07:28:35 -0400
Message-ID: <CAND9ES1a8SrTuk+8yDJQMOUfGRyY+VNbPGM6m1NFo0v2m9oavw@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Björn Haase <bjoern.m.haase@web.de>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a636cc05859e8e9a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/V6zWp07dZiAv0YDuH7hnceqqAEo>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 11:28:51 -0000

Hi Peter,

>> Another thing about PQC is that all of this is entirely new crypto that
we
have no experience in using.  We've had decades of experience with using
PreQC, and have mostly managed to get it right (a lot of the attacks being
performed were known about years ago but were ignored until someone
published
an attack paper with accompanying tools and newsworthy name, and even then
there's a huge amount of code in PreQC crypto designed specifically to
prevent
entire classes of attacks), while we have zero experience with using PQC.

This is an argument for being cautious about deploying PQC. It's not an
argument
that it's a good idea to develop new PreQC primitives. If anything, it's an
argument
against that.

Cheers,

William


On Tue, Apr 2, 2019 at 7:57 PM Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Björn Haase <bjoern.m.haase@web.de> writes:
>
> >We know that the cost of conventional attacks is low and many applications
> >are actually "worth" the effort of an attack.
>
> Another thing about PQC is that all of this is entirely new crypto that we
> have no experience in using.  We've had decades of experience with using
> PreQC, and have mostly managed to get it right (a lot of the attacks being
> performed were known about years ago but were ignored until someone
> published
> an attack paper with accompanying tools and newsworthy name, and even then
> there's a huge amount of code in PreQC crypto designed specifically to
> prevent
> entire classes of attacks), while we have zero experience with using PQC.
> Which means we're going to see years if not decades of new attacks, or the
> same old attacks that were fixed in PreQC implementations, popping up with
> PQC.  It's quite possible that PQC will make us a lot *less* secure, if QC
> never really happens but the expected vulnerabilities in using PQC do.
>
> In fact I'll make this prediction now:
>
>   Likelihood of successful attacks due to QC: Epsilon.
>   Likelihood of successful attacks due to use of PQC over PreQC: 100.0%.
>
> (the second figure should actually be much higher than 100%, because
> there'll
> be many, many of them, not just one).
>
> Peter.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>


-- 

---

I may have sent this email out of office hours. I never expect a response
outside yours.

v2.23.0 | Report a Bug | By Email