Re: [CFRG] NSA vs. hybrid
Dan Brown <danibrown@blackberry.com> Thu, 18 November 2021 18:20 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A213A0966 for <cfrg@ietfa.amsl.com>; Thu, 18 Nov 2021 10:20:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=blackberry.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXCvDQ1T08ys for <cfrg@ietfa.amsl.com>; Thu, 18 Nov 2021 10:20:07 -0800 (PST)
Received: from smtp-pc11.blackberry.com (smtp-pc11.blackberry.com [74.82.81.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEB33A095D for <cfrg@irtf.org>; Thu, 18 Nov 2021 10:20:06 -0800 (PST)
Received: from pps.filterd (mhs401cnc.rim.net [127.0.0.1]) by mhs401cnc.rim.net (8.16.0.43/8.16.0.43) with SMTP id 1AIIK359176519; Thu, 18 Nov 2021 13:20:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackberry.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp19; bh=EILlaUCx0UuK6IYP/rL2TGTSpHtpVF+Fl1i/ZhS3A8s=; b=M01ORR43OhxhNkDnAnIeg33H6YFCYui6pIasAsIrWBREfeT1wlgjAN0X9jDgodiel1O0 PsStHl+cieBdGfMfFAuE3u2QjWEI+2dlXTPHOksV8Gy5z8CzJH6dJ98UwirMwVe6pahO E2q8tY54/Knv8Ntl9ndFQAN6vDGwMG0HbUwxQGvj3QJit1AOukCmzKuIk0IySfqo2Od4 6MgDuYJLZNIioi514RhcXZipuyoKiOYGxJuOei1vqE2Vt+msrRa1xgQsCzDnzgedSY5b rUO7WoSZhrNe6iQ04USp1f6jGXZMIImiopnSAx7qYSVquQxjUel31Ybgz9CeE5iJZq8d Xw==
Received: from xch210cnc.rim.net (xch210cnc.rim.net [10.3.27.115]) by mhs401cnc.rim.net with ESMTP id 3ccbsye1j5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 18 Nov 2021 13:20:03 -0500
Received: from XCH210YKF.rim.net (10.12.114.210) by XCH210CNC.rim.net (10.3.27.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 18 Nov 2021 13:20:02 -0500
Received: from XCH210YKF.rim.net ([fe80::ac8d:3541:704c:478a]) by XCH210YKF.rim.net ([fe80::ac8d:3541:704c:478a%5]) with mapi id 15.01.2308.020; Thu, 18 Nov 2021 13:20:02 -0500
From: Dan Brown <danibrown@blackberry.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX16e8O8q+o2Z0gEKXj2BCd9RTd6wE1jEw
Date: Thu, 18 Nov 2021 18:20:02 +0000
Message-ID: <9588651a323a489e8e4956e08a64b55f@blackberry.com>
References: <20211112092811.628364.qmail@cr.yp.to>
In-Reply-To: <20211112092811.628364.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [100.64.197.166]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0058_01D7DC7E.FE4B3290"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-18_12:2021-11-17, 2021-11-18 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/il8o1k2e-mQD-J2EB2BxOkolsXA>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2021 18:20:12 -0000
> D. J. Bernstein wrote (on Friday, November 12, 2021 4:28 AM) > ... > I would like to see CFRG instead advising integration of ECC into all post- > quantum deployments for the foreseeable future. There's no reason that this > advice has to wait for NISTPQC standards. > ... I largely agree with the point above (as some might recall from my past CFRG messages). Hybrid cryptography in IETF ought to be encouraged by CFRG. At minimum, hybrid ought to be an option for sensitive applications (high-value data, needing long-term protection), where the cost seems worth the benefit. As an exception, an IETF WG with low-value, short-term data and little budget for cryptography, might opt for a single non-hybrid PQC algorithm option. Real-time authentication (e.g., signature-based server authentication in TLS), might have less risk than other applications (e.g., TLS key exchange), because new attacks discovered in the future (e.g., relevant quantum computer) cannot retroactively break today's real-time authentication. Nonetheless, hybrid signatures may still be worth the cost? For certificate structuring, I don't know which is better: (1) certificates with hybrid-signatures, or (2) multiple certificates with a single-algorithm signatures (or (3)=(1)+(2)), but CFRG could contribute significantly to a recommendation on this issue (e.g. comments already made in this thread). Perhaps CFRG should defer this more protocol-specific detail to LAMPS? Organizationally, NIST and IETF could continue to have some interoperable cryptography options, while working independently on non-interoperable cryptography options (i.e., hybrid interoperability ;). Best regards, Dan PS. A simplistic cost-benefit approach to choosing hybrid cryptography: https://eprint.iacr.org/2021/608 Better methods ought to be possible. A discussion on this at https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OpFVbuMYk8c ---------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase