IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Natanael <natanael.l@gmail.com> Tue, 07 December 2021 02:01 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC6C23A0E03 for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 18:01:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPCyCHsosSvQ for <cfrg@ietfa.amsl.com>; Mon, 6 Dec 2021 18:01:00 -0800 (PST)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 632D13A0E01 for <cfrg@irtf.org>; Mon, 6 Dec 2021 18:01:00 -0800 (PST)
Received: by mail-ua1-x933.google.com with SMTP id r15so23586858uao.3 for <cfrg@irtf.org>; Mon, 06 Dec 2021 18:01:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=egP21EfDrLkHUftz0aBmTpzAMq0SA6+iJVlJMsv3kpQ=; b=MQGYxZA93mJm1fKBOPr9ll6ZIUB3hjLIkUje4u/tnlBr62oqezUgUQMyEX3rCwy37U LEFM2h0YybYOvKjuMOqrCph4wRpJRpFrB2JQKTD9Cw7HwpRSf0bSaYaCXPVYiB/w0cGb Di5yqTSvT+c8ObJIJRt3hiLYz2y3t43SDvYB6PGaUX+Ay3PxvBfPmSoVoLgkC6JSdBA2 /mugiLeBt6KBa746Kh+RWBGbgYD2CFb4qE8l12MQ9TG0zT7iDPhQbb74mG1SniM/dwGh dhiYiNZvXo2IDzjwkPVNMOBqDpqenLePd2kblFUtC0jXuen4paJqGkbnBXdIPg2putGU VBRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=egP21EfDrLkHUftz0aBmTpzAMq0SA6+iJVlJMsv3kpQ=; b=O9ClgY9CIWLg2XrHP8zI4KbwNhkDIHlTT9coUmI1amq5WNrJdu6qTZzoGjqdn/pfxd H+W/gpK6levnk17CeHyXXa4tEbmVjnx+0I97qSynIQ61V969CTG9TUusOEyp/3pSwqAG nDIMCj++2h24VS7Z9pVwbvQA4TQ6e3x8je8OuV5lY7xnSrteicGfYBckU88zneBFfARs SeSqY5nG4mZlrFvVwVIad4/coJXIG1TisDj9YyLQlJ15rzCI99240Bqqgzelv8qKWyeB 2S9mvyA3Izv+BOO3S27p5xAmYzyAJ3Py7UvPE6jveRXRvGNr8rLl4f1jb/earP6NzeT2 4ctw==
X-Gm-Message-State: AOAM5320MQnA9kTS9xoIGeQeMGbC+0cPtdXMEKxp1DQMkYO8bHxbnL/j C8ylj+cLbPo/f8o3+7Jp+TLEgTylRtR0LG9cv18=
X-Google-Smtp-Source: ABdhPJxMrNP5ty34jQnXZkUKydYZrI+WU0D9Qr5oWhXwjDlz1kWXl0syptT0NaKVhPZUUQVOd34pLGSYrLSJPQ3QcQU=
X-Received: by 2002:a05:6102:374a:: with SMTP id u10mr41634490vst.74.1638842458624; Mon, 06 Dec 2021 18:00:58 -0800 (PST)
MIME-Version: 1.0
References: <BL3PR11MB5732F4B9822A93E08E7E115F9F6D9@BL3PR11MB5732.namprd11.prod.outlook.com> <310998F0-F6A8-46D0-AF14-A85367169396@ll.mit.edu> <e8e80662-ac81-4845-8f8c-64ac81e30890@www.fastmail.com> <E383D80F-D38C-4A6F-9DA6-1BABDA7D8FBF@ll.mit.edu> <BL3PR11MB5732461035F7173FED4A0F309F6E9@BL3PR11MB5732.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB5732461035F7173FED4A0F309F6E9@BL3PR11MB5732.namprd11.prod.outlook.com>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 07 Dec 2021 03:00:46 +0100
Message-ID: <CAAt2M19XCwuF==rmprejs+5Se5DwGYb4QRifR+__vSNtS0gugg@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Martin Thomson <mt@lowentropy.net>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000096d76205d284be9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tE9r2OWap3N0CmFDGtoD2LsPtKY>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 02:01:05 -0000

Den tis 7 dec. 2021 02:21Mike Ounsworth <Mike.Ounsworth=
40entrust.com@dmarc.ietf.org> skrev:

> I don't think the " PQ algorithms do not hold" case is as absolute as
> you're claiming:
>
>
> In cold storage encryption or any kind of public trust signature scenario
> (ie places where record-now-crack-later doesn't apply):
> 1) Implementation bugs in either traditional or PQC: hybrid makes these
> not-immediately-fatal and buys you time to patch and potentially re-protect
> existing data. (applies to both pre- and post-CRQC scenarios thanks to
> "quantum annoyance").
>
>
> In all scenarios:
> 2) Hybrid (esp. with 3+ algs) allows you to combine multiple PQC algs,
> spreading out your risk.
>

And my own main argument, rephrased in the list condensed form;

Most people worry about non quantum adversaries, some worry about both
quantum and non quantum adversaries.

PQ algorithms can break in that 1) they get reduced to classical quantum
weak security, in which case hybrid won't help but where they still resist
classical adversaries.

And 2) they can also break to even classical adversaries, in which case
hybrid does help because it's much less likely that the more well
established algorithms simultaneously break to classical adversaries.

As mentioned before #2 has already been observed. I anticipate to see it
happen again. Just because we failed to prevent a quantum attacker it
doesn't mean all is lost, because most relevant adversaries for most people
are still only classical adversaries. In addition hybrid under #2 raises
the cost of performing the attacks.

As for previous questions from earlier messages on the topic, we did not
use hybrid between RSA and ECC because ECC took so long to deploy that by
the time it was ready for use it was fairly widely trusted already. In
addition, it's fairly meaningless to deploy hybrid between algorithms with
fundamentally equivalent hardness assumptions and shared attacks. Hybrid is
most useful when the risks are different in between the algorithms of
choice.

>

v2.23.0 | Report a Bug | By Email