Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 07 December 2021 00:27 UTC

From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: Adfq+SifdKkyH8eASvmUsdG8SJfxR///vEKA
Date: Tue, 07 Dec 2021 00:27:21 +0000
Message-ID: <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu>
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/16.54.21101001
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4TCBn1U9Ba32Faakcm6RlcVwBwTnKPZRUi0Nzvw3NILTV35jo4xaNzqFHF6UfGE0CqFsMI5JVWhB89YyZjPbmP8HjPTbYA3oQsMBQc8sLkIFBf2enuVVF5L8/q2wVYAzYvE+q30E0sqzWXOnZxccINqHdsy5LwxgLkH0PQfuP63ZI50jbpUqtUmszZHvMYf4p4AB4EsWgUcozD257OD3RjamQnV+YLz8LPoZdFh/C5yo57LkEslENcwFBFviSu15A7YNmyDq+lusVi55Z+cy2m+74o3tSGnEiuY1Shff99b9a6zlmtwPG9MqZNa80A3ZWMIMfbJGt9D7XLtd13H0MYZ3AQPFqTwAHL1dGGHh/PZ+g4rB4OhggflqLnjrCgyG2ujAMHfnla6csFOsCs9BiKAFK8nCRbYYEaaNOJrH+X91xbfYmYm8BApavLNEWCiPMt6XOUgInEiaUHRukFpdhNssIEY81ex6JlOan772VHbQ7LEAUqIAjlHSLomuJAafgL/GFC1ewoA26sW8q6KySPhdj35hhwHARggoiY/YggLL97n96RhNEUf8Zd/tXwtL2OPR2uuU/d06wImWdzrv2cO7DeCVYGUNk/QujkpogcB+lfBlLBX4HmQ/jU+Jut0fYvnQy+l0qDCOVSyDX8g6WHxyGcrNor5FtcOd+STT9W9X98s3RICinRz9zKrZ0MGPNZY8rYf0GeI811DZ9IhjWA+Gk6QLIqP4njwFpK71m6aFxnx7tzeidzajCfDP2sWESHjBxTodLpX1aKKV98vcIjAYLTeU3fGBFmzLy/1i1talQCynVKObdkPvsa4EFKKhb6HfzTspTonS9GJCN3AEeUuI6emxN9kuyCREo2vPo6VxOGD/TVb5/mG7Ai12awcHVAm2yLtS8ivd5ovb5423AMab9zOhY+ocrEvJoFL7NQYIh//9ufcuj+ZmYC1p6UOYQYmgSz2THx2/DtE0vIJzBP1ulG/d+ZZmAuNyKvWfs0xItMxhmAz/3a5x22TllpoGIy7bwPXwuLgn+wXj36tB+hjvqB7aGGdD4fVc6CGLH499ohrRqDmcWtfe3B+Xp/bt71NidsqmaSAHIk3gfp2o8ynx1G3FLcdT2oYeFpqENuTuB5fWolbdjPnXMOacUsYKpGV5R1vgaUZLz9sht3dUXOqQhA07pKpyIWR677DcGlnYKy0/JjEUvm8J7RXmy69bE2+5AYyRk5jGMFkeR3LsFdC0v9TPX/ORYcO1E7sKOlW51H6qEaJBMBBd9HVTL1Y9
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3721663641_448815890"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 16818723-cec4-4020-68c1-08d9b91855d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2021 00:27:21.8351 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0614
X-Proofpoint-ORIG-GUID: N_7_buF9UYZIh4QKzbiCPXrRRtdgAvNK
X-Proofpoint-GUID: N_7_buF9UYZIh4QKzbiCPXrRRtdgAvNK
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-06_08:2021-12-06, 2021-12-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxlogscore=878 mlxscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112060146
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bZXuyO6GARajq9Fxd3eBVO8WOKE>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 00:27:33 -0000

CRQC (Crypto-Relevant Quantum Computer) is a threat in two ways:
1. Breaking your key exchange and decrypting your confidential information;
2. Forging your digital signature and/or authentication.

For sensitive data, problem (1) is relevant now - because, as you said, ciphertexts could be recorded now and broken/decrypted decade(s) later, when CRQC is available. Hybrid won't help here (and those who don't expect CRQC to arrive, can stay with ECC).

As to (2), it's unclear when we need to start worrying (though, probably, not now). Clearly, it's of no advantage to the adversary to forge my signature now on a TLS session established 10 years ago. It may well be a concern for legal documents - e.g., if somebody 10 years from now forges a signature on a mortgage - but I can't evaluate this risk, as I don't have enough understanding of the field. 

So, "quantum annoyance" is not an answer for me: for short-lived data, I don't care at all (for now) - and for long-lived (presumably important) data I can't rely on "well, they're busy cracking zillions of somebody else's data, and my data's turn may not even come".
--
Regards,
Uri
 
There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare

Attachment: smime.p7s

[CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Stephen Farrell
Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
Re: [CFRG] NSA vs. hybrid Jeff Burdges
Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Dan Brown
Re: [CFRG] NSA vs. hybrid Marek Jankowski
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] Re: NSA vs. hybrid Björn Haase
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid D. J. Bernstein
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Dan Brown
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Martin Thomson
Re: [CFRG] NSA vs. hybrid Andrey Jivsov
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
Re: [CFRG] NSA vs. hybrid Richard Outerbridge
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
Re: [CFRG] NSA vs. hybrid Marek Jankowski
Re: [CFRG] NSA vs. hybrid Mike Hamburg
Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
Re: [CFRG] NSA vs. hybrid Mike Hamburg
Re: [CFRG] NSA vs. hybrid Natanael
Re: [CFRG] Re: NSA vs. hybrid Björn Haase

Re: [CFRG] NSA vs. hybrid

Attachment: smime.p7s