IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Watson Ladd <watsonbladd@gmail.com> Wed, 03 April 2019 14:58 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18DA51200F9 for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 07:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dB_qFrhqFemy for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2019 07:58:13 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7B2512008D for <cfrg@irtf.org>; Wed, 3 Apr 2019 07:58:12 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id f23so15182254ljc.0 for <cfrg@irtf.org>; Wed, 03 Apr 2019 07:58:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=DlnmKF0g/XK8G9KqUdCcfs56mjBBg6LRKVV3SBz6Mbc=; b=c4UZG2eDkjclN9l3+1faCZb9p0BYVjJB8KhxNa8pt0Wxv55/C7cNQnTbFkwhkkgqAb jf/qWgmiwi4qeiqILPKQcqQyr5fQB+0qFhHH5ZuFzvSqOR1y7oZlqXi8PxcxOAsdbiJC 7bJKHSB3w4G9EeCGHYVP1gfLJam7NOnZdTYVfYJpuxLvDXFm6iUazrzs2WbchXDwE+Jv w8ZjhKcJFLuUA8U8lz4ZWuvVqboVaL6iavC2lZfXyjkZMN5OiJA6a8AM1OIZRbS2N7+2 r/2PuNrA7y2C0PIS44QlxxCYPOU4NP7uljeBXbKle1uMrFRTJrKc87mPAYQbFcZ7caPM pVMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=DlnmKF0g/XK8G9KqUdCcfs56mjBBg6LRKVV3SBz6Mbc=; b=J64XUQAkXjUnDxEEzjVjDGNl2W7mbzu2PDxfRNpRXoP/YybGRKmuGJBFeT6czZbLq6 t22vAECkV29dGtIbL8g2VYLCDuxkDMhdi4ULRZLABbGc4ZRRTZy3KHL5Puo6SLi+2Etx bFt87AlOHnJAQJuB0aJbDaIwJk3E/5mKbYvnTz/351VJ5eFSFNw2UENOb8QiddB21VAX OQfvYbVqstUuL3muI56/6DxRyiP9rGRQIOFHHNZjUgkG0O2HWKkQGHu5OyTLE9Qi0ezt 8DbfwRtqCUdy3Hco7tcSDWwUYT32Msirjnvww/tpQiF6XmUlKzDIntCMMzvDbDY9tx34 c+xQ==
X-Gm-Message-State: APjAAAVY2ZWNkZ/gbtCK+Pk2UqwoCTo5gTxaZdTRAv3r6qjt4PjhWHDo 0Ksu9FE2yjlS8rdq3XqIx+NLwPhblX+RfLpz3So=
X-Google-Smtp-Source: APXvYqxcDqvqP3X7y8LANb9//beBSnUfR2kDPF3GckSe6v7O3QDEJeAUBRPBnxnI1LmSC0aPG2mym2aPKlA5CHGH4Mw=
X-Received: by 2002:a2e:8446:: with SMTP id u6mr110366ljh.71.1554303490873; Wed, 03 Apr 2019 07:58:10 -0700 (PDT)
MIME-Version: 1.0
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net> <B79CBA86-3C81-4973-84C2-7DAD7B659CB4@ericsson.com> <CADPMZDCHgsP6=ssJymeoq7RP1eshWf4zk+N9Cf1DY-fk+ntCgA@mail.gmail.com> <1554167337418.62603@cs.auckland.ac.nz> <1A5915E5-E50A-426E-B8F5-6CCCA47AB392@ll.mit.edu> <1554185903715.11087@cs.auckland.ac.nz> <86950110-c278-31d2-ae3e-a2485d0243ed@web.de> <1554249372811.54517@cs.auckland.ac.nz> <CAND9ES1a8SrTuk+8yDJQMOUfGRyY+VNbPGM6m1NFo0v2m9oavw@mail.gmail.com> <CACsn0ck5_HgQ+esaNYUk3h0oghBEqxizR3kV9bHOfVSoWuvS+w@mail.gmail.com> <05E673A9-7CC0-47C9-9EDD-B56FE89246EC@ll.mit.edu>
In-Reply-To: <05E673A9-7CC0-47C9-9EDD-B56FE89246EC@ll.mit.edu>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 03 Apr 2019 07:57:58 -0700
Message-ID: <CACsn0cngZoAjKJ4vn_QktktcfGvFRit7NvsmdJfCnKNuQWcvZg@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uB-TXpIECe6UFsnkROod-ljylfI>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 14:58:15 -0000

On Wed, Apr 3, 2019 at 7:54 AM Blumenthal, Uri - 0553 - MITLL
<uri@ll.mit.edu> wrote:
>
> In short, the problem is that one group of people accepts the risks for another group of people.
>
> As one of back officials said in a private discussion: "Your risk is always lower than our cost."

If you don't like these protocols, don't use them. I really do not
understand the issue here: pairings provide all sorts of efficiencies
and nice protocols that we cannot get other ways. The argument that
now we need to stop doing some kinds of cryptography because in some
as of yet unknown timeframe quantum computers will break all the
schemes (ignoring the difference between authentication and
encryption) made as much sense in 1996 as it does today. And yet today
it is problem but was not in 1996?  TLS 1.3 does not have any
post-quantum ciphersuites. The answer here is a good security
considerations section.

>
> Regards,
> Uri
>
> Sent from my iPhone
>
> > On Apr 3, 2019, at 10:48, Watson Ladd <watsonbladd@gmail.com> wrote:
> >
> >> On Wed, Apr 3, 2019 at 4:29 AM William Whyte <wwhyte@onboardsecurity.com> wrote:
> >>
> >> Hi Peter,
> >>
> >>>> Another thing about PQC is that all of this is entirely new crypto that we
> >> have no experience in using.  We've had decades of experience with using
> >> PreQC, and have mostly managed to get it right (a lot of the attacks being
> >> performed were known about years ago but were ignored until someone published
> >> an attack paper with accompanying tools and newsworthy name, and even then
> >> there's a huge amount of code in PreQC crypto designed specifically to prevent
> >> entire classes of attacks), while we have zero experience with using PQC.
> >>
> >> This is an argument for being cautious about deploying PQC. It's not an argument
> >> that it's a good idea to develop new PreQC primitives. If anything, it's an argument
> >> against that.
> >
> > There are protocols that only work with new primitives. Some people
> > are willing to accept the risk.
> > What's the problem?
> >
> >>
> >> Cheers,
> >>
> >> William
> >>
> >>
> >>> On Tue, Apr 2, 2019 at 7:57 PM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> >>>
> >>> Björn Haase <bjoern.m.haase@web.de> writes:
> >>>
> >>>> We know that the cost of conventional attacks is low and many applications
> >>>> are actually "worth" the effort of an attack.
> >>>
> >>> Another thing about PQC is that all of this is entirely new crypto that we
> >>> have no experience in using.  We've had decades of experience with using
> >>> PreQC, and have mostly managed to get it right (a lot of the attacks being
> >>> performed were known about years ago but were ignored until someone published
> >>> an attack paper with accompanying tools and newsworthy name, and even then
> >>> there's a huge amount of code in PreQC crypto designed specifically to prevent
> >>> entire classes of attacks), while we have zero experience with using PQC.
> >>> Which means we're going to see years if not decades of new attacks, or the
> >>> same old attacks that were fixed in PreQC implementations, popping up with
> >>> PQC.  It's quite possible that PQC will make us a lot *less* secure, if QC
> >>> never really happens but the expected vulnerabilities in using PQC do.
> >>>
> >>> In fact I'll make this prediction now:
> >>>
> >>>  Likelihood of successful attacks due to QC: Epsilon.
> >>>  Likelihood of successful attacks due to use of PQC over PreQC: 100.0%.
> >>>
> >>> (the second figure should actually be much higher than 100%, because there'll
> >>> be many, many of them, not just one).
> >>>
> >>> Peter.
> >>>
> >>> _______________________________________________
> >>> Cfrg mailing list
> >>> Cfrg@irtf.org
> >>> https://www.irtf.org/mailman/listinfo/cfrg
> >>
> >>
> >>
> >> --
> >>
> >> ---
> >>
> >> I may have sent this email out of office hours. I never expect a response outside yours.
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >
> >
> >
> > --
> > "Man is born free, but everywhere he is in chains".
> > --Rousseau.
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email