Re: [CFRG] NSA vs. hybrid
Natanael <natanael.l@gmail.com> Tue, 16 November 2021 21:17 UTC
Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEC673A094E for <cfrg@ietfa.amsl.com>; Tue, 16 Nov 2021 13:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVVI0VG_dwzg for <cfrg@ietfa.amsl.com>; Tue, 16 Nov 2021 13:17:33 -0800 (PST)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A6D63A0922 for <cfrg@irtf.org>; Tue, 16 Nov 2021 13:17:33 -0800 (PST)
Received: by mail-vk1-xa2a.google.com with SMTP id b192so353281vkf.3 for <cfrg@irtf.org>; Tue, 16 Nov 2021 13:17:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JHtxdij0e7hz5KR5HzbzySOYKYxag8oU2ZlQHhbWiZA=; b=Rw8AYfxFVMQnM31+4j+oXuz7jw9DUf8ZaLTNQTP986mnZEkhEx0lnQ1DyA1/xSaFZO K2xRw8M6lllwy3JFzvi8YarXFRKauvmED1a8noJE4tbnfMUTehmwNtNDgTHOZ/ro1jDH aWuIBtzuiOg60A4YAQm7ghrqrRBXHLH3Ly0wfZw6QJvbaxfFKrZ4JavtwG2UAwRI2YBp jyNb8Wku+UKFyMCUgOp8jIauXJcpqsvAi8fFSnOoGBb/45eUiuNNvpYfpK19SBX05rWR 4J59DjGllBjTRqX1T/oewELDHgIDDF4VRIZwqegdZS2Kw/e2gz1Qd6W8jJseFo4gHaEX cUMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JHtxdij0e7hz5KR5HzbzySOYKYxag8oU2ZlQHhbWiZA=; b=weHuRX3lFr+jNnSYTqzkkAWajBstHkjFPUqtjTT+i2lNyDYLAAjVAybKm8cV/hDVdi sMTPrpokllsbmzGuy3Z752IAiJzIw+oia57KbIGSk4JaNGWHwNzkkW2+x1Tf8hmYi++o eQd6j1onw8jyhIwngHrRLWd2jEfWWcGjfsul6uEzATW00mzCcG2F6j6QZmVduWluwD85 ksr1YdwtnC8ygTF/Y7wVitQECcJjfWTFQ5QJhbcXFmzCVYuYElu9/8gng77qfr2ly5cN t5E7eXopMfaFta3ZEvrQ2taEUn8fGRCOYguiYk1yRKcDcLswLM95aEjf0+ZNdMFQr0l3 gD8g==
X-Gm-Message-State: AOAM530e+9QU/cOeXtUHqdTnyKSsa2SaC5VNTZBCKy54005HOkyaYTLx OO5iihomDKF1kJD82NxbbrrSF+yU0wGu1zRGhLBVCbok
X-Google-Smtp-Source: ABdhPJzNm4SkooQvtbFQbNjxuvkBvRUj22brY3p0CDJScp/ooZtAimcd8IfJmD20rnJ/p0TfZ9HvdNEwiRJ+EESinSc=
X-Received: by 2002:a05:6122:d05:: with SMTP id az5mr78636622vkb.9.1637097450815; Tue, 16 Nov 2021 13:17:30 -0800 (PST)
MIME-Version: 1.0
References: <20211112120349.636988.qmail@cr.yp.to> <46B5E229-0BB2-46D7-BFD3-98C10C6105EE@gnunet.org> <YZKHYWJgJHNtLsuG@LK-Perkele-VII2.locald>
In-Reply-To: <YZKHYWJgJHNtLsuG@LK-Perkele-VII2.locald>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 16 Nov 2021 22:17:18 +0100
Message-ID: <CAAt2M1_qKck_Y+Ufgj5vB7+AA=Vp+=uQqboWVSHMZp_eSg5Bfw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000004c54c05d0ee7439"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lNVLFFQZiTR9NmYq0_j-AbvuGJg>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2021 21:17:38 -0000
Den mån 15 nov. 2021 17:14Ilari Liusvaara <ilariliusvaara@welho.com> skrev: > On Sun, Nov 14, 2021 at 10:49:29PM +0100, Jeff Burdges wrote: > > > > It’s always possible logic bugs arise in validation code of course, > > but test vectors can trivially catch these bugs, assuming the > > certificate format specifies both key types and the hybrid protocol. > > Catching those bugs may be far from trivial. Buggy signature > verification code might have false accepts that are not trivial to > generate, but still greatly weaken the security. One can not > catch those with test vectors. > > I have not looked at if there are easy-to-make mistakes in > signature verification of NISTPQC candidates that would behave in > that way (not be obviously broken but still exploitable). > > > It’s fairly clear separate P and Q certificate chains obstruct test > > vectors from enforcing this and invite more opportunities for > > downgrade attacks, etc. too. > > IMO, The complexity of separate P and Q chain verification is > absolutely terrifying. As for downgrade attacks, it is not clear how to > deal with that even in theory, let alone in practice. > Besides committing to the algorithm negotiation as in TLS 1.3 to prevent regular downgrade attacks, there also needs to be a policy that post quantum CA:s can only sign post quantum certs (or hybrid certs), and that hybrid CA:s can ONLY sign hybrid certs up until some predefined transition period has ended (under the assumption that the CA cert gets deprecated then with hybrid requirement renewed if we're not yet certain of the strength of post quantum algorithms). If we feel certain enough at the end of that period that the post quantum algorithm will hold, then it remains valid and gets to sign post quantum only certs. The next two problems are that nobody will agree on the length of that period, and that CA rollover is still problematic (just see the recent let's encrypt issues on older devices).
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase