IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 09 December 2021 01:36 UTC

Return-Path: <prvs=8977c1ac50=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCDFB3A0B62; Wed, 8 Dec 2021 17:36:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aafdXX7EtxR; Wed, 8 Dec 2021 17:36:23 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 190163A0B60; Wed, 8 Dec 2021 17:36:22 -0800 (PST)
Received: from LLEX2019-1.mitll.ad.local ([172.25.4.123]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1B91aKQC414003 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 8 Dec 2021 20:36:20 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=dIIlSFRoVExJKClV2KCWhJwC42RtyxuwoqZHzMIuM+WUjSGt+hiyHbyhy2RJofVJ6Hfcs11rmBg/MJ96BJHP1dv1Bflvb0BoPProB3ZGC7C0MM/jsO6bQBX6ZyC6GIMNimoxzQw3J7Z21Pv4ze0Sy7+09314KIzXlOnCloHqShxMSX4pwYNJssU+bSw8dtiBF8fKECO0zEeYGeh9NDQjo03GqE2M4quNr1GEjQI9grBJQLYIjOtjubUwmL1qxitXJOyiys7w6oCVSV4R9rNNDRBTfWSKq73W836W+2wEGwpEFyKNnjNrRq2ugRwwfHA7ZJLAEk7pcRQjQqzKa5uChw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PsCB1+UH4Fn11xHPcEzjbxZipWma9orofN/HDYWpoVU=; b=SPmznZwH+2c3D2x12PPMd/XQym1oaoa8U4bq9fDXZ7SZh8152MdziDsTi5QyLYPFFC8E+IsGWyNKDvlnqJwFSU2GnixU14SeZG95PF/Ag56P4ZUqzf2cdcEGxbMuYgJdTWtLhrt0smTNkYXvFcQNdnQzRVQC44q/yongfVaikKBH3C8iUiTvYQSt/Tfm2PGyps5uq7YvJL7qYKS7llxX7u9M9Vxpfj8bUo4lnnkdRzYV+2/DS7liVGA7CcalWXZ9ACC5K0RYt5RaOF1b5h4G0pn2SkaqX8I3T62nrL9NnJp5PBzqopWYKuSOb9G1iYMClvUkCQKFb1GZ6JugdCKypA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] [EXTERNAL] Re: NSA vs. hybrid
Thread-Index: AQHX7I19uCqpIzydG0KlbPdWhId136wpDWMA
Date: Thu, 09 Dec 2021 01:36:16 +0000
Message-ID: <14D2E803-5632-4B4D-BDC4-5A55A85DCBFF@ll.mit.edu>
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <CAOp4FwQTyYGWLRoMYA_+kaGAzGjTb1Z=6kcQfGkmrw_7oEHqhQ@mail.gmail.com> <2213E164-231B-4D95-9CEE-5808E5EE8034@interlog.com> <BL3PR11MB57323BB269FE39E9BB19BC029F6F9@BL3PR11MB5732.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB57323BB269FE39E9BB19BC029F6F9@BL3PR11MB5732.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6564337d-4176-44b2-0263-08d9bab44b37
x-ms-traffictypediagnostic: CY1P110MB0822:
x-microsoft-antispam-prvs: <CY1P110MB0822D2E86E5D015A684C460790709@CY1P110MB0822.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XhMD1n4dkLh+QKPqgYJIngqTcUWZ3btEXQoCM3Ii7JDgfjnFvDEb6M8+jCcAoRt3BK4084kvIndFywoI+gQEIafekxW75wV3GH6twXcUAc7h5cH2J3pwFMt4T0EF2LaVD2JGviNIHpcVyPUaiaKCxfQLqHbeSimHCiX1BxNPyoDG6DhTj6XbnBuNp9SFp2/2qsgVgBRKeDzxx0tgNF8W8GL+BFypuI5KdsC1RyYjI384i+u+NYOA0s7WCUgkOVEfhPgxqxV9/G+GFP/bmynkry9MAmCe15p3Bn3fJ2juR5UwPs+6KnMWuInGLlv/JJiPigghenD/2xfd0oCrFa4LOjFsd5L+D6KmG4vpsFVke44C0f9qGW2jbi3SwqbxadIqOjL+jDx1+Pza+mryIh7Ka0qE48Rua5Z/bSlhKcT+8wNPcSSSVgfMxXldf/92cRUCKQ1pFm9HQmN0jzqo5DLbUUDHJulCLbhgBc932JeT5+cP6NzexlYe4+KryIsp9wMkpHKMeSB9S/Q6qpAB9sbMCuJQ4+TL2ACKKNnvw4lE+aszYAwX1VzCkAQvzbGBA8jtMgcQtYepEDmpy53jW8/kqQPMK8DHrZXxtxMHZgbUpMVQwwt0dM+Zc6XZSRNxvwA0g9lMMyfRsCURDDamX1dUA4hxskkY7CAkl/jg0hT98cYaZopuoKmBPIuGb4f830Si6a42ZDO83LJfIo+BTG0ZjEQHDlZ0uRRlLLn3jHOTxHM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(966005)(66946007)(8936002)(6506007)(71200400001)(64756008)(66446008)(66556008)(6486002)(4326008)(53546011)(76116006)(75432002)(186003)(86362001)(38100700002)(5660300002)(99936003)(38070700005)(26005)(2616005)(66476007)(6512007)(83380400001)(8676002)(33656002)(2906002)(122000001)(498600001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BPhy/GVNerlcJ4qxtaJmnHutws3edRGPv4khMlJ/b/jRiJqQnUO3eX6vaXIu71QX/IQxrlgnaP0+ttm/xvpm7+16448HePaotK5n7e3XJ6Q3tONbDraxz+JQ0945UKIDpKeLDuxht4fFE5xk6+CxHw==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3721840576_1495171616"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6564337d-4176-44b2-0263-08d9bab44b37
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2021 01:36:16.7382 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0822
X-Proofpoint-ORIG-GUID: SnAIG8XKoXKTN36metz3sTaTxkrp6LnG
X-Proofpoint-GUID: SnAIG8XKoXKTN36metz3sTaTxkrp6LnG
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-08_08:2021-12-08, 2021-12-08 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112090006
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eUa01kgi-SAR600KLpcuuV3jrg0>
Subject: Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 01:36:28 -0000

On 12/8/21, 18:44, "CFRG on behalf of Mike Ounsworth" <cfrg-bounces@irtf.org on behalf of Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:

> > As has been noted, so has NTRU gone through a good amount of review,
> > even more perhaps than Rinjdael by this point in the competition for AES.
>
> I'm probably gonna embarrass myself, but here goes ... The argument
> that I've heard made is that there's a quantum leap (pun intended)
> between the complexity of the mathematics of RSA/ECC and NTRU.

Strongly disagree.

> You can mostly wrap your brain around RSA if your high school teaches modular arithmetic,
> and the attacks if you take 2nd year uni group theory. ECC also 2nd year group theory.

Yes, it's fairly trivial to understand the basic attacks. If you go through more complicated stuff, like the work of Don Coppersmith - you'll find that the above would probably be insufficient. It's somewhat similar with lattices - see below.

> Lattices, LWE, R-LWE, and especially module-LWE are this esoteric combination of rings,
> fields, and linear algebra that requires a very specific trajectory of graduate studies
> (likely over-simplified, apologies in advance).

IMHO, in general - not true. It's fairly simple on basic level - e.g., LWE, but some attacks are quite subtle.

> I took this note during Steven Galbraith's keynote at PQCrypto2016:
> "There are only a dozen people in the world (2 in the room) who are
> experts in all the branches of math and algorithm theory that go into
> lattice problems, so that poses a big problem in predicting the number
> of bits of security that these things offer."
> (talk recording: https://youtu.be/xpBEgT9xyk8?t=520)

He's a co-author of SIKE, one of the PQC finalists, right? And he published a lot on ECC, Hyperelliptic curves, Isogenies, etc.

I don't know what level of expertise Dr. Galbraith meant, but I've heard scientists discussing the strength of the lattice-based problems, and articulating their position pretty reasonably.

And, sorry, it's hard to watch talks. Publications (especially peer-reviewed ones ;), are much better to rely upon. Probably, https://www.math.auckland.ac.nz/~sgal018/PQCrypto.pdf would be easier for people to discuss. Starting with slide 2.

> I am most certainly not one of those experts qualified to have an opinion,
> and I know the situation has improved since 2016,

I'm sure I'm not one of the 12 experts that Dr. Galbraith considered qualified to have
an opinion (on the subject). ;-). 
On the other hand, I'm equally sure his criteria is overly exclusionary.

> .  .  .  but either way I think
> NTRU, ECC, and Rijndael are not directly comparable in terms
> of how "hours of public effort" translate to "confidence".

Do you _fully_ understand the design of AES/Rijndael? And _all_ of the (published) attacks against it? Maybe, you find comfortable determining the strength of EC Supersingular Isogenies-based algorithms? ;-)

v2.23.0 | Report a Bug | By Email