IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Natanael <natanael.l@gmail.com> Fri, 12 November 2021 11:17 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C732D3A0DEA for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 03:17:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uz86CVIOaAkF for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 03:16:57 -0800 (PST)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 832173A0DE6 for <cfrg@irtf.org>; Fri, 12 Nov 2021 03:16:57 -0800 (PST)
Received: by mail-ua1-x935.google.com with SMTP id l24so13752644uak.2 for <cfrg@irtf.org>; Fri, 12 Nov 2021 03:16:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lMdH2tMqe8lnMgWLeJfHGSD9KqVKM7LG7Knq0IDfX3o=; b=hzoGbyFrWjG69Mo+zRoOgJxMGYUPN37Ou49bRi0rywYvxD+Kl8NczAJTvD3nCB9ElF BNdVUQgHTmtCRkm/Iz/uE4J0e7SnYzgg6tapfRrBuJgKOEmwFzwzTR1jA5GvVIfWqNGV c8hEi7w76sZzrZbSV4T4tLeqD9SKy3G67VRnrLV+n+wi0VD54Imin9oikYZfetcIOx/h GddjPnkSqzuCj90artps4qc4XQ8wLnW9v8CEwibxy+xy7moaUCk+ODXprBsSbY4NLpF/ JhF5b6qEfVgcXqrBx3WCpBp4PMkKlV8kzxo71t7l5lBaL27Tg89y7y4kofk19LvNOymi qKJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lMdH2tMqe8lnMgWLeJfHGSD9KqVKM7LG7Knq0IDfX3o=; b=pqNixLBnltF8wAwpl8Tganjc68v92SdsMUAvK2LCtSZORuYjq/KEq1HhdhnsRdQHkD 8dINUg49fWPlDY6cCcuyg1SAt/4S441DGi5e4LVcFxnim/xrVOoVRdLzA2M2vsOG9655 XTATAB9AwdDlVedET53V5AqxZmvOx/Gh//DRzuPSPidtWjKLqMiYewP6nE6LnElmWie8 ASnOKqeO1Q3OrKV0+RxDEoJH8aUhifH5jeGuwwHRJ8jTwJVE+kU/QoBssk4r2i0K3EMV anhSF7yEW5qvL9i9SwCC5Ga3wiSlssVf3I5ehy8Yv8+kyezEXmEIpxl8Zlx20VWk6S70 kKOQ==
X-Gm-Message-State: AOAM530DM3VfFW1liUaWYtduNFaa8GK+jCW5Po8m/zHCEO7pdSXAnwQC OYG2bYfLxyg2LoGER3w+XKXIQYI6S0k1GXjmiMo1TjgD
X-Google-Smtp-Source: ABdhPJzL4sS+AvQ3buGVbLzjtP2jk+5T0tNXc3he7mVUVA/kUwvm6/ZZ8Ji08VGGRK6Ek2RpMDiSHVITL57WdnybVJo=
X-Received: by 2002:a67:c11c:: with SMTP id d28mr9293329vsj.54.1636715815458; Fri, 12 Nov 2021 03:16:55 -0800 (PST)
MIME-Version: 1.0
References: <20211112092811.628364.qmail@cr.yp.to>
In-Reply-To: <20211112092811.628364.qmail@cr.yp.to>
From: Natanael <natanael.l@gmail.com>
Date: Fri, 12 Nov 2021 12:16:43 +0100
Message-ID: <CAAt2M18seCg-Z_QZRma6nOiXS5SpESc=9Wfg_2brUbwiAxpSxQ@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000c75d3405d09598a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fhaid7v_6CSNE613QvFjKEuFApE>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 11:17:02 -0000

Den fre 12 nov. 2021 10:29D. J. Bernstein <djb@cr.yp.to> skrev:

> This looks to me like something that should be discussed in CFRG rather
> than LAMPS:
>
>
> https://datatracker.ietf.org/meeting/112/materials/slides-112-lamps-hybrid-non-composite-multi-certificate-00
>
> https://mailarchive.ietf.org/arch/msg/spasm/McksDhejGgJJ6xG617FEWLbBq0k/
>
> This is one part of a big push by NSA across multiple non-CFRG venues to
> convince everyone to
>
>    * deploy small lattice systems---which _hopefully_ protects against
>      quantum computers---and
>
>    * _turn off ECC_---this is the scary part, since there's a serious
>      risk that the small lattice systems are easier to break than ECC.
>
> I would like to see CFRG instead advising integration of ECC into all
> post-quantum deployments for the foreseeable future. There's no reason
> that this advice has to wait for NISTPQC standards.
>
> Specific comments follow.
>
> [...]

  [ under "CONS" of "composite" certs ]
> > Can require reworking of certificate validation
>
> Yikes---sounds scary given how tricky certificate validation is. But
> wait a minute. Isn't certificate validation simply calling signature
> verification as a black box? What has to be reworked here?
>

In theory it should be simple, in practice there's constant mistakes made
in validating certificate chains and certificate properties. In theory this
should be as simple as requiring dual and identical certificate chains with
no difference but the asymmetric primitives, requiring both to be valid at
once. In practice, I expect this to get messed up in a million different
ways.

With that said, I do personally favor adding support for "multi-signature
certs", of which composite certs with non PQ and PQ algorithms together is
one variant. Fixing this once and making sure it stays fixed feels to me
like the better option (in my layman's opinion).

  [ under "CONS" of "composite" certs ]
> > Maintenance concerns surrounding deprecated algorithms
>
> Why is this supposed to be more of an issue for "composite" certs than
> for "non-composite" certs?
>

My best guess is that with non composite you can easily ignore the cert
with non PQ algorithms (just don't supply it to the validator). However a
validator with support for composite certs should equally easily be able to
ignore non PQ chains.

  [ under "PROS" of "non-composite" certs ]
> > Computational processes remain unchanged (but perhaps multiple
> > iterations)
>
> This sounds weird, given that the whole point is to be adding new
> post-quantum primitives into the picture. Perhaps I'm missing some
> restricted definition of "computational process".
>

This is essentially a variant of the argument above, you run the validator
twice on different certs with only the primitive being different. The
validator needs additional changes to put both chains in the same cert.

  [ under "PROS" of "non-composite" certs ]
> > Ease of use for backward compatibility
>
> How is a P certificate plus a Q certificate easier to use than a P
> certificate plus a P+Q certificate? If this is supposed to be an
> objection to the cost of the extra 64 bytes then there also has to be an
> analysis of how much space is lost by the "non-composite" approach.
>

Similar to above, some older strict validators might reject composite certs
with an additional PQ chain even if the non PQ chain is valid. In this case
you may need to identify the user agent and serve only a non PQ cert.

However, I don't see what kind of software would have issues with
validating the non PQ part in composite certs but which would also happily
accept double certificates and validate just the non PQ one and ignore that
the other fails to validate (due to incompatibility), so this claim is odd.
Any software updated to support two certs can also update the validator
code.

The ability to serve and receive and correctly process double certs will in
itself essentially be a new standard.

v2.23.0 | Report a Bug | By Email