IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 31 March 2019 01:01 UTC

Return-Path: <prvs=9993d15529=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33910120376 for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2019 18:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mM4czB5Xd6tF for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2019 18:00:59 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 0CCB8120372 for <cfrg@irtf.org>; Sat, 30 Mar 2019 18:00:58 -0700 (PDT)
Received: from LLE2K16-MBX03.mitll.ad.local (LLE2K16-MBX03.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id x2V10vAv024576; Sat, 30 Mar 2019 21:00:57 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Michael Scott <mike.scott@miracl.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Thread-Index: AQHU2YhP7WSRj7kLJk6h4vQXxVMdaKYLg1EAgAA63ACABtxrAIACXiwAgAwGegCAAD6YAP//creAgADJWQCAAabZAP//zcOAgACYm4CAAcNCAA==
Date: Sun, 31 Mar 2019 01:00:56 +0000
Message-ID: <898778FA-0AC5-42E7-B3C9-3EC5FD169F5C@ll.mit.edu>
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <CAEseHRr-ugC3usMiv6XSWxtw2Yth40FUjrmanQ5+U0xehznfAw@mail.gmail.com>
In-Reply-To: <CAEseHRr-ugC3usMiv6XSWxtw2Yth40FUjrmanQ5+U0xehznfAw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
Content-Type: multipart/signed; boundary="Apple-Mail-13864EFD-557A-484E-949E-17BA1FB63041"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-30_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903310005
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/X6SgIBFmGiLc81aOa_2HFrM60_c>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 01:01:02 -0000

Well, I simply did not want to embarrass you publicly, as, frankly, I thought those arguments were poor (regardless of whether Kenny liked them or not) - as I explained in my post.

My points were brief enough that either you or Kenny can show where they are wrong, if you can. 

If there are other arguments - I'd be happy to hear them.

Regards,
Uri

P.S. Since you wrote the MIRACL library, I wouldn't expect such a post from you. But, whatever...

Sent from my iPhone

> On Mar 29, 2019, at 18:06, Michael Scott <mike.scott@miracl.com> wrote:
> 
> Hey those are my arguments (and damned fine ones they are too!). Kenny liked them!
> 
> Really, you should be polite enough to directly attribute them to me.
> 
> (Am I being trolled???)
> 
> Mike 
> 
> > Naïve question: how is this approach supposed to weather in post-quantum world?
> 
>> On Fri, Mar 29, 2019 at 5:00 PM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
>> It doesn’t but we did already discuss that, and good arguments were put forth for continuing the work despite this. (See the mail archive, I guess.)
>> 
>> So far I’ve found this (which IMHO doesn't look like a set of good arguments):
>> 
>> >  1) Pairing-based crypto threw open the doors to lots of nice new crypto possibilities, enabling stuff that we couldn't do before
>> >  2) Gradually post-quantum crypto is catching up and demonstrating capabilities that mirror some (but not all) of these achievements
>> >  3) Post-quantum crypto depends on hard problems that it will take time to develop full confidence in, even in regard to attacks from non-quantum computers
>> >  4) In the meantime (and that could be quite a long time) it makes perfect sense to proceed with the development and standardization
>> >       of non-quantum safe methods.
>> >  5) In the year x out pops a quantum computer. However in the year x-1 out popped well-developed and well-understood
>> >       post-quantum crypto replacements in which we can have complete confidence. 
>> 
>> Re. (1): sure, it would do great stuff, but for how long? What’s the expected lifetime of an algorithm/protocol/approach that would justify efforts spent on formalizing, implementing, and deploying it? What application field or use case would support it?
>> 
>> Re. (2) and (3): sure, but irrelevant with regard to the main question - is it worth developing (for deploying later, as there's an inevitable lag) non-quantum-resistant crypto now?
>> 
>> Re. (4): I see no logic in that statement. We don't have full confidence in post-quantum hard problems, therefore we should standardize methods that we know are not quantum-resistant?
>> 
>> Re. (5): It's only true for data that loses value rapidly. It may work for, e.g., throw-away TLS sessions, but not for, e.g., sensitive email. It seems to ignore the fact that data produced in year x-k (encrypted by good and intercepted by bad players) may still have value in year x, x+1, etc.
>> 
>> I cannot (nor do I want to) tell people what to research or experiment with, and what not to. But common sense suggests that systems/algorithms that do not offer long-term protection won't see large-scale commercial deployment, IRTF draft or not.
>> 
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email