Re: [CFRG] NSA vs. hybrid
Natanael <natanael.l@gmail.com> Tue, 07 December 2021 02:01 UTC
Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC6C23A0E03 for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 18:01:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPCyCHsosSvQ for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 18:01:00 -0800 (PST)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 632D13A0E01 for <cfrg@irtf.org>; Mon, 6 Dec 2021 18:01:00 -0800 (PST)
Received: by mail-ua1-x933.google.com with SMTP id r15so23586858uao.3 for <cfrg@irtf.org>; Mon, 06 Dec 2021 18:01:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=egP21EfDrLkHUftz0aBmTpzAMq0SA6+iJVlJMsv3kpQ=; b=MQGYxZA93mJm1fKBOPr9ll6ZIUB3hjLIkUje4u/tnlBr62oqezUgUQMyEX3rCwy37U LEFM2h0YybYOvKjuMOqrCph4wRpJRpFrB2JQKTD9Cw7HwpRSf0bSaYaCXPVYiB/w0cGb Di5yqTSvT+c8ObJIJRt3hiLYz2y3t43SDvYB6PGaUX+Ay3PxvBfPmSoVoLgkC6JSdBA2 /mugiLeBt6KBa746Kh+RWBGbgYD2CFb4qE8l12MQ9TG0zT7iDPhQbb74mG1SniM/dwGh dhiYiNZvXo2IDzjwkPVNMOBqDpqenLePd2kblFUtC0jXuen4paJqGkbnBXdIPg2putGU VBRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=egP21EfDrLkHUftz0aBmTpzAMq0SA6+iJVlJMsv3kpQ=; b=O9ClgY9CIWLg2XrHP8zI4KbwNhkDIHlTT9coUmI1amq5WNrJdu6qTZzoGjqdn/pfxd H+W/gpK6levnk17CeHyXXa4tEbmVjnx+0I97qSynIQ61V969CTG9TUusOEyp/3pSwqAG nDIMCj++2h24VS7Z9pVwbvQA4TQ6e3x8je8OuV5lY7xnSrteicGfYBckU88zneBFfARs SeSqY5nG4mZlrFvVwVIad4/coJXIG1TisDj9YyLQlJ15rzCI99240Bqqgzelv8qKWyeB 2S9mvyA3Izv+BOO3S27p5xAmYzyAJ3Py7UvPE6jveRXRvGNr8rLl4f1jb/earP6NzeT2 4ctw==
X-Gm-Message-State: AOAM5320MQnA9kTS9xoIGeQeMGbC+0cPtdXMEKxp1DQMkYO8bHxbnL/j C8ylj+cLbPo/f8o3+7Jp+TLEgTylRtR0LG9cv18=
X-Google-Smtp-Source: ABdhPJxMrNP5ty34jQnXZkUKydYZrI+WU0D9Qr5oWhXwjDlz1kWXl0syptT0NaKVhPZUUQVOd34pLGSYrLSJPQ3QcQU=
X-Received: by 2002:a05:6102:374a:: with SMTP id u10mr41634490vst.74.1638842458624; Mon, 06 Dec 2021 18:00:58 -0800 (PST)
MIME-Version: 1.0
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <E383D80F-D38C-4A6F-9DA6-1BABDA7D8FBF@ll.mit.edu> <BL3PR11MB5732461035F7173FED4A0F309F6E9@BL3PR11MB5732.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB5732461035F7173FED4A0F309F6E9@BL3PR11MB5732.namprd11.prod.outlook.com>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 07 Dec 2021 03:00:46 +0100
Message-ID: <CAAt2M19XCwuF==rmprejs+5Se5DwGYb4QRifR+__vSNtS0gugg@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Martin Thomson <mt@lowentropy.net>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000096d76205d284be9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tE9r2OWap3N0CmFDGtoD2LsPtKY>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 02:01:05 -0000
Den tis 7 dec. 2021 02:21Mike Ounsworth <Mike.Ounsworth= 40entrust.com@dmarc.ietf.org> skrev: > I don't think the " PQ algorithms do not hold" case is as absolute as > you're claiming: > > > In cold storage encryption or any kind of public trust signature scenario > (ie places where record-now-crack-later doesn't apply): > 1) Implementation bugs in either traditional or PQC: hybrid makes these > not-immediately-fatal and buys you time to patch and potentially re-protect > existing data. (applies to both pre- and post-CRQC scenarios thanks to > "quantum annoyance"). > > > In all scenarios: > 2) Hybrid (esp. with 3+ algs) allows you to combine multiple PQC algs, > spreading out your risk. > And my own main argument, rephrased in the list condensed form; Most people worry about non quantum adversaries, some worry about both quantum and non quantum adversaries. PQ algorithms can break in that 1) they get reduced to classical quantum weak security, in which case hybrid won't help but where they still resist classical adversaries. And 2) they can also break to even classical adversaries, in which case hybrid does help because it's much less likely that the more well established algorithms simultaneously break to classical adversaries. As mentioned before #2 has already been observed. I anticipate to see it happen again. Just because we failed to prevent a quantum attacker it doesn't mean all is lost, because most relevant adversaries for most people are still only classical adversaries. In addition hybrid under #2 raises the cost of performing the attacks. As for previous questions from earlier messages on the topic, we did not use hybrid between RSA and ECC because ECC took so long to deploy that by the time it was ready for use it was fairly widely trusted already. In addition, it's fairly meaningless to deploy hybrid between algorithms with fundamentally equivalent hardness assumptions and shared attacks. Hybrid is most useful when the risks are different in between the algorithms of choice. >
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase