IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Natanael <natanael.l@gmail.com> Thu, 02 December 2021 17:34 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A603A12D7 for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:34:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3v2sJQqdTQTe for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:34:28 -0800 (PST)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B9433A12D9 for <cfrg@irtf.org>; Thu, 2 Dec 2021 09:34:28 -0800 (PST)
Received: by mail-ua1-x929.google.com with SMTP id p2so440029uad.11 for <cfrg@irtf.org>; Thu, 02 Dec 2021 09:34:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kbnTi1MafO9JqLq7ItRVLPFmvZ/2CZqVqU5Zse5FZo4=; b=jNOZBYRxeaPr13gbH6DoMlVGw+SMY1yIBXlCLEkYqFG7y90tz5XezgWQrbI89G4pJ5 clKUVfE4bENzBJm4Q9EgxTunTX8dvjUvJNvGBskbBdSc90FStiga8itapUA25dA9baRG v+KDXXxQIculDkCOPl74GmGF/v/zFqvXK8+59qRRS0wOCvnxTXILhIpgsKFT/FBtT6gY QaMC346Bd8NFOqLWuCJELz1QzH1YajHQXY2K8QwyXkdSBIqb0UbbhGFghqnidXcNqYIf oVT9hxUHg+v7EPK23gpJ5ckfVsAxmRjG1dqOhkeUWEmgCBSKeTUFXYd4Pe2EAoemcJWt 1Lww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kbnTi1MafO9JqLq7ItRVLPFmvZ/2CZqVqU5Zse5FZo4=; b=rMLviK1VexPLWFT/rtuQaXuxb44Ss6QVa9CJDlqDiDchbr5Es60YXdOX3+KhcERXT0 OXhj3ALo7KPf2oVRJ3xh2CS2VODSTkkijK3tsy5ZAO0VIJXksle6c7/OM1pZNYVmAlU6 gD2H5ydBVMOEWkd6OUql5t6xdMPkm+PudfnomrRpwqEVyE2vYnbtNOAih6knyEOKaDby NEjkErRP53lol3zBvCYNoNK/M+RZ6YJY38FpMeOg8zjiAdhqUHrebUqavKjaGLPWvoVn Rup7KB6j7Xznv6087ViX287IL83UxU4D5YqTH5XJIEBnIxY3WA48C9hu/i/Zd+CHgaoJ 95OA==
X-Gm-Message-State: AOAM532/9nL3ARgoz2ThgUIkOfMjLW160z3kcdhJ8dUChKneYQUmU6Qg PiYCwmVhiRq0rsdRpZ6FC5uXlsiu+JYk3bj1Au8RlDYB
X-Google-Smtp-Source: ABdhPJwCPZyAgIRV7zH4Cmp87g5F+ss+D5787PTjmXDUdhdk13BoryDQCvGMLL1ai0hOLDzMZXNxoskcpf5GzYBXzWI=
X-Received: by 2002:a67:3382:: with SMTP id z124mr16040492vsz.57.1638466466466; Thu, 02 Dec 2021 09:34:26 -0800 (PST)
MIME-Version: 1.0
References: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com> <3BEDD03E-9545-4DA1-8845-B7CA3414862C@ll.mit.edu>
In-Reply-To: <3BEDD03E-9545-4DA1-8845-B7CA3414862C@ll.mit.edu>
From: Natanael <natanael.l@gmail.com>
Date: Thu, 02 Dec 2021 18:34:15 +0100
Message-ID: <CAAt2M19ELcS23UrEObWyxAVFPDE8N9+9JoVAB_b17fv_yC4Z6A@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: Soatok Dreamseeker <soatok.dhole@gmail.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000b611ed05d22d3373"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YBHlOm1YUCFZDTyzof76IKTl0oY>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 17:34:32 -0000

Den tors 2 dec. 2021 17:45Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
skrev:

> I'll use the NSA term "CRQC" - Cryptographically-Relevant Quantum
> Computer. I personally believe (based on my weak understanding of the
> incomplete scientific data - but understanding  that others have probably
> isn’t much better than mine) that CRQC will be built within the “relevant”
> (IMHO) time, aka - a matter of a decade or two.
>
> Basically, my reasoning against the Hybrid is that it is useless in the
> majority of cases. But it adds complexity to processing, and unnecessary
> ballast.
>
> Here are the possibilities and their relation to the usefulness of the
> Hybrid approach.
>
> 1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms
> hold - Hybrid is useless.
> 2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail
> - Hybrid is useless.
> 3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms
> hold - Hybrid is useless.
> 4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms
> broken - Hybrid useless.
> 5. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ
> algorithms hold - Hybrid is useless.
> 6. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ
> algorithms broken - *Hybrid helps*.
> 7. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ
> algorithms hold - Hybrid is useless.
> 8. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ
> algorithms broken - Hybrid is useless.
>
> You can see from the above that Hybrid would be of benefit in only one
> case out of eight, one I personally consider among the least probable.
>
> Hope this explains my position?
>

I disagree with your risk analysis.

The main problem is that we can't predict which of these situations we will
end up in. Simple enumeration doesn't help.

The main issue is that #6 has already been seen today, multiple times, with
algorithms previously expected to hold. That alone should realistically end
the argument that we're ready to deploy exclusively PQ today. It's not a
safe bet to make ourselves dependent on it in advance.

#5 is the only plausible case where betting on hybrid would be considered a
real negative after the fact, and most would complain about performance
more than complexity. And I wouldn't bet on #7 happening (even if it does
you might pick the wrong candidate).

Practically speaking we're dealing with weighing the more likely outcomes
that the specific PQ of choice holds (that's a narrowed version of 1/3,
also 5/7) vs a continuation of #6, that it fails while classic algorithms
remain working. #8 and #4 (should be both breaks?) are IMHO less likely, I
expect to see some kind of surviving asymmetric algorithms in both cases.

#2 still protects against adversaries without quantum computing
capabilities.

Hybrid is a hedged bet, and it's a long term bet - data encrypted now can
still be relevant in two decades before we even know if a CRQC is plausible
at all, but we also don't know which algorithms will survive. Hybrid has a
chance of surviving everything but the nightmare scenario, and is the only
choice that can substantially reduce unknown risks.

Going single algorithm is not just a bet on CRQC vs none, but additionally
a bet on that specific algorithm.

>

v2.23.0 | Report a Bug | By Email