IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Mike Ounsworth <Mike.Ounsworth@entrust.com> Sat, 04 December 2021 20:33 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214923A0944 for <cfrg@ietfa.amsl.com>; Sat, 4 Dec 2021 12:33:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxPNsRXxWdz9 for <cfrg@ietfa.amsl.com>; Sat, 4 Dec 2021 12:33:04 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 120593A0942 for <cfrg@irtf.org>; Sat, 4 Dec 2021 12:33:03 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1B4KTjX8004989 for <cfrg@irtf.org>; Sat, 4 Dec 2021 14:33:00 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=mail1; bh=BmEzj4HbptzIWL1nczp9HR2WjJFw2iWRuVQ6iLOWpbE=; b=JevNA5120cNDSE97S5Ag4Mq9vOhUFIOn/6KYUGt+bZ3iu4mWOZNNfdkt5a/OcXI2oWgh xrGBDN8ozvgQ5KZWMD4x45ATMBlW8EApTm97Ykl8MlhVMXm+VmYojThSPjgDrpjg27p/ 8j27zhGPV4BNEXkSTfRZwFXUTHCR/LDPXTIN8hQhdELTKGn2EATr0Gxxso+8qX16MDz4 ylV8xz3En8Kexlkfrl1AVuG0g+JWF/3g+S5KfomGLt59DBLLQtYw9rqz6EMjRBVDSyP+ qonRsowhk2Fepx71BpYbtGUdVA3QBEAvmcX4LAbkDtkadPwg0UjDds2Q00BePNkgJCO1 EQ==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2040.outbound.protection.outlook.com [104.47.56.40]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3cr5w48r61-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cfrg@irtf.org>; Sat, 04 Dec 2021 14:33:00 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BfaVxREm9s5er/LZPXRXQ+Z8CppNuHtbwzIMn0UAeccD8xCtmbRcr4DCBrkvQK9YabARR6hJvRO1DN+DbinLalnqo5/HCsB568+OiA3o80QHIQAp3rtO2n40pjAyOWUJ1uGDFOjW6IeP+BKMSMqHRnwjQu9OroO6nhnY7bRimGSVNying7jnI2XOcGxVkMerv0fh1h9d9Mv4OxCn8fLOjPfAWXBQ2oQ9janhCUZ06QLwL5mM16v0PxbI9aYhCoCwAmDxgzw/AnZoIKl5FRYrhvF5Y+xcqJnZxCWHOHR6U6X0nHd289oFCzfY992fSGexh/SisbPl4zbNjuYJotlnvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BmEzj4HbptzIWL1nczp9HR2WjJFw2iWRuVQ6iLOWpbE=; b=g7ySY4JGy7CQHc56JKnDpFr+sxcv0nn2jXIqu3TnWF3PMmjsslTjG6zufzSjuXFcapc6w/cRDSubbaexpF8mPelMTaD1+nFOyerLP8+OLLgjQYzOMjCh2U3re8ltC7qbfRHE+voQiC8NiVf3qkRrzFiWbXdJAEFuzuY7nFMgc13H2WEzqobZHNBVLqQ2WgcVobR8sg52FI7O9x/d0VsspDZsZBB3x6YN4SyzhVH+2oN/qiERzHX1YE2i0vHryis62eiv58tNOw8WsYmNX0Vrz9sTWbP8iEaTPd8aA2cG5MatbqvnQK8IKExmQgFl2YklEAFjXOMrlunOM2LgX+UxtA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM8PR11MB5736.namprd11.prod.outlook.com (2603:10b6:8:11::11) by DM6PR11MB4723.namprd11.prod.outlook.com (2603:10b6:5:2a0::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.20; Sat, 4 Dec 2021 20:32:57 +0000
Received: from DM8PR11MB5736.namprd11.prod.outlook.com ([fe80::3028:46c4:83b8:862e]) by DM8PR11MB5736.namprd11.prod.outlook.com ([fe80::3028:46c4:83b8:862e%6]) with mapi id 15.20.4669.011; Sat, 4 Dec 2021 20:32:56 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Re: [CFRG] NSA vs. hybrid
Thread-Index: AdfpSDdLYlksUmlQTGO6g3G1vAc20Q==
Date: Sat, 04 Dec 2021 20:32:56 +0000
Message-ID: <DM8PR11MB573606AC6314879B1B2D36FA9F6B9@DM8PR11MB5736.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 71e3dd22-6e39-4df3-258d-08d9b7654185
x-ms-traffictypediagnostic: DM6PR11MB4723:
x-microsoft-antispam-prvs: <DM6PR11MB472301605408184A5ADBA39A9F6B9@DM6PR11MB4723.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rTdE4hAH2YuKLv4dPZPlRlJi/xBIJIiXz7HeV90tewjGwt/AZUYk5rfiVAY8/d5dOvfh1ZIl9LW//nlEYRBfLmPoCAKZhUQHs6Hnrw7tjSkdL/5V0Z/rr5r0X9AknS3VoigVotZXmSHl/ywn3itmhkaFNReYuJ6kBKYouR2EwZ1K/XU3RWP5NDH3Ngr8vnZuiyzHEdIw/iESokOPp16JI0xVERsqvmt+Pqb4HFNsUuA95W3RjWkahzMcOqWcNYSW4/WPS7VnWtYFhJnG50oZF7HcXLKnDqI/RiVvlBstYA7cHAUIE2MYycTncVIIZTJAaIvt8mu2mh2RB4Jf0mm4RasQGm8Cu4GDKXCd4urzV960+kM8KziKUj4tGb6qWKl0FyCqIQOp8RCvVt4FjF8/Kj1OTGlTJw4EGBftN4FwkHsRijtDDwGVRC3Vxqb7H/lXrmc2WPVBoL2bU0+2VeZ9YDwEED18w17syOipAdX7m0oL8l4xHYrdEic8lI9hz4JG6TV7cdtP6rn/89Gw0JBdHRnh9jH0gOLkKdbX5Tqu+BM6S8fFZc8D6x+1uA3Nlk3c/y89IdIVrMg/rIaeIAqt5FklTi/fpJ5qzPNggXwWv780ZXs2A7TZagLbmrWAv4Zu370O066DfmhUXQk3VCng9cy2gPgPfeZD34xaOBafGAqN93x96tx23PX/KLXaKdw4PpRK1MBWc+6A5l55LjR1hw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5736.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(8936002)(508600001)(71200400001)(8676002)(5660300002)(52536014)(9686003)(33656002)(38070700005)(66574015)(55016003)(7696005)(86362001)(83380400001)(66556008)(26005)(38100700002)(2906002)(66946007)(186003)(122000001)(66446008)(64756008)(66476007)(76116006)(6506007)(6916009)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Zac9+i5sHOFSNvyJYScbefN/t31yGwgZWUW/1R7BkCcI/ANH1NtX7tKG1/hfxQgyswhtFxwkTZz3l03RTlCO2hr/lCX1sPOP0iBSwMtHjMllYNQyh31lSYq2Aygf9YSolWkJvzsD6MGMVTB8Z48Lub036SoPkK4FE8/lM466d3ELu38L6Q/5HynK8fZK7ABKubBZ17EI4mUCWFR50awDPpOGsqeRROJFgO8RdGxY9S8ZhCRbmPe38zS8RbjnyGYpVxLrEBg9z88lIPi32qdCuVchE+NAD+9FWUmtfVn4r9mUxjJIjMGxcKeBEndLC6YcnV5jXlp1YFhRSgOBx+NH7HSgg6OW/6K16WuhM5JMPZYIg56W6a6a+osxEMF1hAlErRpBY2INKOSnOAfJi5c9MorlfRMWToBl1Nv6Z04bWqgjVozHWommLDxq7uLmv63TKy8TkBABMaO229Cx+UDGTUajgDoNahG5hfG5J2EJTlTnPlmmGo4pJD2BhFOhFQxAGewHq8KLNMHRcYwrdKxG8Ty/Pt1luTHxPpPwgdiw7ftTZRbfytVR13FJ7jQwhq6GVgRbmXK9syO+GMR67gNutsdrMSh2yF9bHn4O+DeW6C3BKqG82eswtAikmTHYLzpLQDp78OndkXi7CLwgiEunbBOdbRQMcaetsiPHbdSYdF/O22cg6VdokFLAbLzButt3enqtLYMpeTqiVguajjjk029h9M/7wQVDp4u8QO1O2uzaaq6LqeihvBIh/3x6FGkF4DBP9JdACez5nJerPcR03EJlgrmQiy0WuGrXGYEcNVrTDZKDmEuXjp2/gFJGGrH1XlrjxswmZKo1aorWOp1dUwvx9zjrH6Lwi4amT8s1VkPQ23AJLz+hZ8BW3ed7bmU3JToHbJYKOOA2Xp9VuMenv/VgiSvNs157FheLhcKrYvLMcxSOqt0o/kN6KApbmLK1m4OEKVhlZbwsygG6vCLGP32iWd6/fwVwrX3SlNVtrbZToL2zDs5dwFvJTYZcijzgH07PoIWaYZRVQ7j07XuTCWbsm7vpVCZKSI+psiYus3t7O9NYt161EurkXIu/hOgs5m+iZrf2lZQCFGKy1DpBUjzB1PxVagWGE8B1UzE1H2Zo9JngvhLYM4ij9nckJRyEPkfWTV9eWJXzp1BuGOeC9/lVK165EL+qV4wiyTmVi9pB+LYVx47k3KylXiNQ2GOQR1Lpfyv0JclO8SiExPSJpRYqpOfMEzpYaF6xsDaUJRKdHoHMxP6LxEd4Vpj+xhXDKVz/a7cRLuP56VUaF+xp79RVO+PBVSgiKMBJxOBye3b3gxzC2O6tPxUbNA6JyDaT3x4q0RBIUOO9paAuUaw5CEjHMbE6prTngakQLvTaWk0GhK2TlN0UqN4Ar8AcxTYxRoFZAYKXxDBSXepw+LM8TMUnLsuEo3pTM3Rcp+BkjVQxnQyGFbDn5bxyMlyCFrqfmFX0fuaN5IotdS8x2BTnzA+bdnKkSthG2AqRGRuE/jnSHRZlCtaSqHK0Jq2OaZhi7Z/SBzZJeXnG8gg1Cu2jEfyzBoUJgNCc48ryOK+UcBEDQmB5vNwSqtZshAfZ8M+9k6pmxZiVe7Do0rBtJ95YkTPm9Wel6YeTI2FyLKUv+kufUOnXn4dCGzzqblrNHSbubwoADa64uvVPZi8JFLTPng==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5736.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 71e3dd22-6e39-4df3-258d-08d9b7654185
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2021 20:32:56.7554 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xcYXyjECH60kUuI1rMZmzym9gIerk60pGlK0/b2z2g0nVcqh9lh2uF1OzMRIhTiM490D7VsIsE+Av8Z2iPUqVFek5B9tQ/7rA8zy4Ruo9iw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4723
X-Proofpoint-ORIG-GUID: 8Ey8Cl9ziuGpud9VgtJYmYvullo4cubJ
X-Proofpoint-GUID: 8Ey8Cl9ziuGpud9VgtJYmYvullo4cubJ
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-04_08,2021-12-02_01,2021-12-02_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 lowpriorityscore=0 mlxlogscore=915 malwarescore=0 priorityscore=1501 adultscore=0 phishscore=0 mlxscore=0 spamscore=0 bulkscore=0 impostorscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112040133
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Y9PgC0RtfbfwhAJmykOKBpxOq5Q>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2021 20:33:09 -0000

Responding to a few different branches of this thread:

> "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sat, 13 November 2021 18:50 UTC
> One complication that certificates have over KEMs (in the context of TLS) is that there are more parties involved.

In addition to what Scott mentioned, there is also multiple layers of standards bodies involved. A bit of a squinty view:

1. CFRG will make cryptographic recommendations.
2. LAMPS will implement these recommendations for PKI and S/MIME.
3. CA/Browser Forum will make these new algs and cert types legal for publicly-trusted CAs.
4. Root keygen ceremonies need to happen under the newly-minted CA/B rules.
5. New root certs need to get included in browser trust stores.

Only then can we start actually using them. These are sequential steps that could take 1 - 2 years each. By my reckoning, if we start now, we have a 5 - 10 year road until we can actually use this on the web. I haven't even considered FIPS or HSM development lead times here...




> "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 16:45 UTC
> Here are the possibilities and their relation to the usefulness of the Hybrid approach.
>1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless.
>2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless.
>3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless.
>4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms broken - Hybrid useless.
>5. CRQC doesn't arrive, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless.
>6. CRQC doesn't arrive, Classic hold against classic attacks,  PQ algorithms broken - Hybrid helps.
>7. CRQC doesn't arrive, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless.
>8. CRQC doesn't arrive, Classic broken against classic attacks,  PQ algorithms broken - Hybrid is useless.
>You can see from the above that Hybrid would be of benefit in only one case out of eight, one I personally consider among the least probable.


IMO the one thing we *do know* is that PQ crypto libs will have implementation bugs, which means we *will* have to contend with case 6, at least transitively. Which, given your language, gives us a 100% chance that hybrid helps :)



> "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 21:22 UTC
> I'm asking why the current Classic algorithms have not been paired using the same approach - as they have been around from 10 to 25 years longer than, e.g.,  NTRU.

Let's say this reasoning is correct; let's say that in retrospect we should have layered new ECC implementations with RSA for some transition period, isn't that more reason to develop hybrid mechanisms now so that they are available the next time we need to transition from an old battle-tested thing to a newer thing?

---
Mike Ounsworth
Software Security Architect, Entrust

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email