IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 02 December 2021 17:27 UTC

Return-Path: <prvs=897035456e=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D20E3A12C6 for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:27:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tGHdsl70w3u5 for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 09:27:16 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD56A3A12C1 for <cfrg@irtf.org>; Thu, 2 Dec 2021 09:27:15 -0800 (PST)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1B2HRDID128990 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 2 Dec 2021 12:27:13 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=MEaPmhNQ9CwDo1OJwFSnu46Ssk3GTEMqrPhBWpi+3WrxI9KPCpzO5YrqgRR3gfNQ69XwGrrvy6YvAi5D4qPZkc9ndofe/OZYGw7dILZsO1HEj39YEsKR10Elt1JytrFR1gD+EiuWiG4j+6ZkiTWKx31L3nP6N23iSHDxxT987ehCOol2/INkIDNae/HRLvoaviaQt7Sah/4A3thZjkvuk127VG0XByGR8K5+iXTbkOumqxHx547tiKFnCpwr3wx8IDMGzOsYN0X2iscWpJphxLFt0ca8BLS2bTUEca7H1ndOrLQE/J0uMShXmReQsPJAjf0x8yhWQMBrIwKib7XKTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pf+138mRztR6QN92INpV9xLweuc5N0Rha6yZYIOMKbY=; b=wWjZFbi7n1PZIQc6II0dMWLF3Fjy8Y2NcDfeOHPIMh/P3/esA0TX+C7VQFx+cOgIjEDqLbUIKBb3e/mnpqHPDsUJP1o5/pmvo/BxzNCyB+DjePbCxdquEGbA1nyZ6iLpKde2M3hPjTQjT5j0V9rapdq6WhbG8T9ZLDESyqq0bU/FIv1jsBFz0HEOm2xXiwwy3Ghg0nxsb3jIOXvT7id4P1Kg6Wqsbr/dn/pa08uFwFsrBP7HrrxIr8JEouENhOON8CFcVKnEBAZPkvgl2Ov7MCH/kGucBmvPGfnausFbcINNUsr7JyFpMn4wDGWZJxFhfkYQAz3K2IhpsbVsTsxTKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Soatok Dreamseeker <soatok.dhole@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX16fXW9d+W2Z8cUihngZecK0bMawJon4AgBWL0AD//8Y4gIAAXHOAgAA3pICAAAgbAIAAA6OA
Date: Thu, 02 Dec 2021 17:27:11 +0000
Message-ID: <3D515D86-C22C-4212-9F31-95B52206837E@ll.mit.edu>
References: <CAOvwWh19O+U9aXMp8ihzgXxjEGUeoSeXrBc9SupdKc72GSQpEA@mail.gmail.com>
In-Reply-To: <CAOvwWh19O+U9aXMp8ihzgXxjEGUeoSeXrBc9SupdKc72GSQpEA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bf95860b-9c8a-4f25-7561-08d9b5b8f991
x-ms-traffictypediagnostic: CY1P110MB0373:
x-microsoft-antispam-prvs: <CY1P110MB0373E8F6E89D82F93079C23590699@CY1P110MB0373.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7RJivOnxb+6xpnAKVSOyuAKK5W+7ChXp0JehWYzuLL/rRmleDvBkBF1XxTOJW2dI99CzJAA5UyMKY7D1TnFdwXH9EeXMHIQqaIpz1j2H1qcS+aPC7nBdtxaOtNwjBcCdFCxKT5CtibisuRMLwnB1KProGnT4atzUstpT+yy0JlF7wfrCo8yz+mWnf1jEMo+9lQJUnP05SYknbWfKUOsn4VHVhwxHfKjUHHpn2MDVRN/m95IPZSw61G5F2qBYRKvOHfTJ/IDRKn3e7YwM7+RdKJ7n46XMepBwsuh4s/VBCEu2eqrHsiIoPwNx+QBw+UP4WDnhVpvGmTdOkJp3ggzIpNe4K90EB+AaTprakeq+Ee/wrC6AA8+KEdtx3GEX4afae5PdTgdGUZtw0C1S1lmMr4f8adOndEV3dmN6b3RDPvqpDeBwia8jdBwri0qktDe1uyKAXttcAAivpqA4jTG8c2i4pZYyMRwjiSeocSEIL/qh+5zD8qCDVMHmHLMHmjy0poNI9AHo9ot9aLSfZNrzOcSbNN57R4C4mTjzJToBHKuV8+Q0D/ojOYr29o+VH/Ot8Hea13CnhXMtQnBjwppCpuSga7m+if+ha6O8QiyX6gotqOltYzAArCqeMrXo5hRJ2lJCWxVX9JEV8+GGUeCqEVXxxp3LPR34lLuLkZ9JtyQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(2906002)(6506007)(6486002)(53546011)(64756008)(66446008)(186003)(99936003)(33656002)(8936002)(508600001)(316002)(71200400001)(38070700005)(8676002)(2616005)(6512007)(83380400001)(86362001)(5660300002)(6916009)(76116006)(66476007)(66556008)(66946007)(4326008)(122000001)(75432002)(45980500001); DIR:OUT; SFP:1102;
Content-Type: multipart/signed; boundary="Apple-Mail-A04C87F9-94C5-4047-A63B-A6972B52F5C1"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bf95860b-9c8a-4f25-7561-08d9b5b8f991
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 17:27:11.4086 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0373
X-Proofpoint-GUID: IHv6liinyMVV-iuDbpgdRfSbJQIOiYBM
X-Proofpoint-ORIG-GUID: IHv6liinyMVV-iuDbpgdRfSbJQIOiYBM
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-12-02_11:2021-12-02, 2021-12-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 mlxscore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=895 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020113
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vsXg5QNziWsytBSj1QpWBSlGWxc>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 17:27:18 -0000

Who’s to say that an Intel agency or a crime syndicate (oops, I meant “outfit” ;) hasn’t secretly developed a classic exploit against one or more of the currently used Classic asymmetric algorithms?

Regards,
Uri

> On Dec 2, 2021, at 12:15, Soatok Dreamseeker <soatok.dhole@gmail.com> wrote:
> 
> 
> Hi Uri,
> 
>> On Thu, Dec 2, 2021 at 11:45 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
>> I'll use the NSA term "CRQC" - Cryptographically-Relevant Quantum Computer. I personally believe (based on my weak understanding of the incomplete scientific data - but understanding  that others have probably isn’t much better than mine) that CRQC will be built within the “relevant” (IMHO) time, aka - a matter of a decade or two. 
>> 
>> Basically, my reasoning against the Hybrid is that it is useless in the majority of cases. But it adds complexity to processing, and unnecessary ballast. 
>> 
>> Here are the possibilities and their relation to the usefulness of the Hybrid approach.
>> 
>> 1.  CRQC arrived, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
>> 2. CRQC arrived, Classic hold against classic attacks, PQ algorithms fail - Hybrid is useless. 
>> 3. CRQC arrived, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
>> 4. CRQC arrived, Classic hold against classic attacks,  PQ algorithms broken - Hybrid useless. 
>> 5. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms hold - Hybrid is useless. 
>> 6. CRQC doesn’t arrive, Classic hold against classic attacks,  PQ algorithms broken - Hybrid helps. 
>> 7. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms hold - Hybrid is useless. 
>> 8. CRQC doesn’t arrive, Classic broken against classic attacks,  PQ algorithms broken - Hybrid is useless. 
>> 
>> You can see from the above that Hybrid would be of benefit in only one case out of eight, one I personally consider among the least probable. 
>> 
>> Hope this explains my position?
>> 
>> Regards,
>> Uri 
> 
> Your setup of 8 possible outcomes is reasonable, but I don't believe your conclusion follows soundly from this premise.
> 
> The core of my disagreement is: none of us are omniscient. (If we were, most cryptography would be useless, and we wouldn't need intelligence agencies.) 
> 
> Even if we take the 8 situations you sketched in your email as a given, we'll never know which world we're in. If an intelligence agency (or significantly sophisticated computer crime syndicate) discovers a classical exploit against one of the NIST finalists (say, as a result of a novel mathematical breakthrough that permits accelerated attacks against lattices), they're strongly incentivized to keep this a secret. (NOBUS vulnerabilities, etc.)
> 
> I'm inclined to agree that, in 1/8 of the worlds, Hybrid helps, and in the other 7/8 of the other worlds, it doesn't. However, while Hybrid may not help in those cases, it isn't a clear detriment. This is because the overwhelming majority of the code needed for hybrid signatures (or, indeed, hybrid KEMs) are already implemented in cryptography libraries today, so the hit to code size, attack surface, and complexity is tractable.
> 
> Without any mechanism to distinguish between the 8 possible worlds, we cannot make a strong logical argument either way. We're forced to rely on inductive reasoning. Naturally, what we end up with is a 12.5% probability of a security improvement and a 87.5% chance of a zero-sum outcome.
> 
> My conclusion, following the premise you shared, is that Hybrid is a modest insurance policy (against a circumstance we can't guarantee that we won't fall into due to the perverse incentives of national politics), even if it's one we're not extremely likely to need.
> 
> If you wanted to pose a stronger argument against Hybrid, I think demonstrating a significant cost and/or downside to Hybrid over doing nothing would be the best way to make your case.
> 
> Regards,
> Soatok

v2.23.0 | Report a Bug | By Email