IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Dan Brown <danibrown@blackberry.com> Thu, 18 November 2021 18:20 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A213A0966 for <cfrg@ietfa.amsl.com>; Thu, 18 Nov 2021 10:20:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=blackberry.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXCvDQ1T08ys for <cfrg@ietfa.amsl.com>; Thu, 18 Nov 2021 10:20:07 -0800 (PST)
Received: from smtp-pc11.blackberry.com (smtp-pc11.blackberry.com [74.82.81.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEB33A095D for <cfrg@irtf.org>; Thu, 18 Nov 2021 10:20:06 -0800 (PST)
Received: from pps.filterd (mhs401cnc.rim.net [127.0.0.1]) by mhs401cnc.rim.net (8.16.0.43/8.16.0.43) with SMTP id 1AIIK359176519; Thu, 18 Nov 2021 13:20:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackberry.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp19; bh=EILlaUCx0UuK6IYP/rL2TGTSpHtpVF+Fl1i/ZhS3A8s=; b=M01ORR43OhxhNkDnAnIeg33H6YFCYui6pIasAsIrWBREfeT1wlgjAN0X9jDgodiel1O0 PsStHl+cieBdGfMfFAuE3u2QjWEI+2dlXTPHOksV8Gy5z8CzJH6dJ98UwirMwVe6pahO E2q8tY54/Knv8Ntl9ndFQAN6vDGwMG0HbUwxQGvj3QJit1AOukCmzKuIk0IySfqo2Od4 6MgDuYJLZNIioi514RhcXZipuyoKiOYGxJuOei1vqE2Vt+msrRa1xgQsCzDnzgedSY5b rUO7WoSZhrNe6iQ04USp1f6jGXZMIImiopnSAx7qYSVquQxjUel31Ybgz9CeE5iJZq8d Xw==
Received: from xch210cnc.rim.net (xch210cnc.rim.net [10.3.27.115]) by mhs401cnc.rim.net with ESMTP id 3ccbsye1j5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 18 Nov 2021 13:20:03 -0500
Received: from XCH210YKF.rim.net (10.12.114.210) by XCH210CNC.rim.net (10.3.27.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 18 Nov 2021 13:20:02 -0500
Received: from XCH210YKF.rim.net ([fe80::ac8d:3541:704c:478a]) by XCH210YKF.rim.net ([fe80::ac8d:3541:704c:478a%5]) with mapi id 15.01.2308.020; Thu, 18 Nov 2021 13:20:02 -0500
From: Dan Brown <danibrown@blackberry.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX16e8O8q+o2Z0gEKXj2BCd9RTd6wE1jEw
Date: Thu, 18 Nov 2021 18:20:02 +0000
Message-ID: <9588651a323a489e8e4956e08a64b55f@blackberry.com>
References: <20211112092811.628364.qmail@cr.yp.to>
In-Reply-To: <20211112092811.628364.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [100.64.197.166]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0058_01D7DC7E.FE4B3290"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-18_12:2021-11-17, 2021-11-18 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/il8o1k2e-mQD-J2EB2BxOkolsXA>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2021 18:20:12 -0000

> D. J. Bernstein wrote (on Friday, November 12, 2021 4:28 AM)
>  ...
> I would like to see CFRG instead advising integration of ECC into all post-
> quantum deployments for the foreseeable future. There's no reason that this
> advice has to wait for NISTPQC standards.
> ...

I largely agree with the point above (as some might recall from my past CFRG 
messages).

Hybrid cryptography in IETF ought to be encouraged by CFRG. At minimum, hybrid 
ought to be an option for sensitive applications (high-value data, needing 
long-term protection), where the cost seems worth the benefit.  As an 
exception, an IETF WG with low-value, short-term data and little budget for 
cryptography, might opt for a single non-hybrid PQC algorithm option.

Real-time authentication (e.g., signature-based server authentication in TLS), 
might have less risk than other applications (e.g., TLS key exchange), because 
new attacks discovered in the future (e.g., relevant quantum computer) cannot 
retroactively break today's real-time authentication. Nonetheless, hybrid
signatures may still be worth the cost?

For certificate structuring, I don't know which is better: (1) certificates 
with hybrid-signatures, or (2) multiple certificates with a single-algorithm 
signatures (or (3)=(1)+(2)), but CFRG could contribute significantly to a 
recommendation on this issue (e.g. comments already made in this thread). 
Perhaps CFRG should defer this more protocol-specific detail to LAMPS?

Organizationally, NIST and IETF could continue to have some interoperable 
cryptography options, while working independently on non-interoperable 
cryptography options (i.e., hybrid interoperability ;).

Best regards,

Dan

PS. A simplistic cost-benefit approach to choosing hybrid cryptography:
https://eprint.iacr.org/2021/608
Better methods ought to be possible.   A discussion on this at
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OpFVbuMYk8c


----------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

v2.23.0 | Report a Bug | By Email