IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Soatok Dreamseeker <soatok.dhole@gmail.com> Thu, 02 December 2021 13:26 UTC

Return-Path: <soatok.dhole@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19DDC3A10CF for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 05:26:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISEgg9v8D1Tr for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 05:26:14 -0800 (PST)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9DE93A10C6 for <cfrg@irtf.org>; Thu, 2 Dec 2021 05:26:13 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id c4so59643087wrd.9 for <cfrg@irtf.org>; Thu, 02 Dec 2021 05:26:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=obzVRmNhwmc7Vr1bEQS00ceAXC9wX5NZF/UD2QdYwBU=; b=MJue8ey8qOI/SN50TpUMViGj7CXWTWv+4/VnNHt5x128UmTSxwJef7GdqdKmRsY04i Qz00dHiw059huDbvjtpGGqoXzg/RNDpagyS/74eeZCB52V6eWaBIY2RN6FBNK9AGNLVt 55yiQewT8083+CSS2TvenU8C7/X4S/+bTt7LcraPLPPxt50x0e1mBo4VdYfiHpKwLKj4 QZecBXfV0sXFXKA3hd7/b+zY7efK06zWxfBlbJBnRYnY5uJ5GwrGVXQGin76sfiDtRzr KteqxfjVP97NztaBJ/qMtJgXLI8wQEf+uMpvLZE7ObaeO6BYs3eTimLk+MMJMa9laC6Y DKFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=obzVRmNhwmc7Vr1bEQS00ceAXC9wX5NZF/UD2QdYwBU=; b=4W/Ve8dbQf1gKgLuXEsdHbKvRNsljEoEpNgXWva5wz4DlBMTrycJN3pYRxRUfLOvcs 0i5G3MXyMVDmnrcD9S7OmGYjXSzqb4deDZbrgGrUJoZZN8GiLueClO6VM7lTBhMGOjA/ CA3gUgjqvpFvpvA68iPGQ+5D9c+RZawk0g6mlx70ta8jzgCJPvs8LRIgMYCytj46LTEQ /VMjKdBGxsknIvvHhAR9/0HGHb9oEPIBIc2TEEIxLQE+75GhYpk7oKW6OJyg/BFynlsl s8f1CmWs81uno+aFb+VFO9GYLiEOL3Xuf2yWW0Vqvwve3wrEBKt5arFSO0ADfaiczyRq 5eJQ==
X-Gm-Message-State: AOAM5331UMPsBPozOVEVqkltig+6gJ5esSoEBDX93nEBa5r66VJnb6ni 2CwYJTWYI5738iUppE1Jql/LGaPVibqrxnNWX4A=
X-Google-Smtp-Source: ABdhPJzlrtXFxwgS1zKK0cWQJULjsZLsu7iU6YO05kD3ujjgQmcigxuaxdUR608e3zconyyNc50rLfCbk0CfSvC0iIs=
X-Received: by 2002:adf:f98c:: with SMTP id f12mr14526259wrr.184.1638451570933; Thu, 02 Dec 2021 05:26:10 -0800 (PST)
MIME-Version: 1.0
References: <20211112092811.628364.qmail@cr.yp.to> <9588651a323a489e8e4956e08a64b55f@blackberry.com> <CAMCcN7TmFuu-msYvmWDV=c3R=Vxyg9MBV++o3BfVDHEj8i3NmA@mail.gmail.com> <D598FD2A-A2F3-4B91-9F11-70412E17D7A8@ll.mit.edu>
In-Reply-To: <D598FD2A-A2F3-4B91-9F11-70412E17D7A8@ll.mit.edu>
From: Soatok Dreamseeker <soatok.dhole@gmail.com>
Date: Thu, 02 Dec 2021 08:25:59 -0500
Message-ID: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000de039b05d229bb4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zAQrY7BFu4LfWJEBF1c28cXoXpo>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 13:26:19 -0000

Hi Uri,

On Thu, Dec 2, 2021 at 7:55 AM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> NIST did not invent the finalists – some of them have more than two
> decades of research behind them. Situation looks comparable to that with
> RSA and ECC when those algorithms were brought into standards.
>
>
>
> Thus, I do not support the Hybrid approach.
>
> --
>
> Regards,
>
> Uri
>
>
>
> *There are two ways to design a system. One is to make it so simple there
> are obviously no deficiencies.*
>
> *The other is to make it so complex there are no obvious deficiencies.*
>
> *
>                                                                                                                    -
> C. A. R. Hoare*
>
>
>
>
>
> *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Marek Jankowski <
> mjankowski309@gmail.com>
> *Date: *Thursday, December 2, 2021 at 06:23
> *To: *Dan Brown <danibrown@blackberry.com>
> *Cc: *CFRG <cfrg@irtf.org>, "D. J. Bernstein" <djb@cr.yp.to>
> *Subject: *Re: [CFRG] NSA vs. hybrid
>
>
>
> Joining Dan, I too believe that the vetting of PQC algorithms should
> originate in a public process, and that NIST has not yet proven we should
> rely on the finalists alone. I find it important that CFRG advise upon
> hybridization both in KEMs and signatures, although I don't have a strong
> opinion in the composite vs multi-certs debate.
> In the same context, I worry that not having a FIPS standard for Ed25519,
> the result of FIPS 186-5's publication being delayed, might cause a delay
> in adoption of PQ+EC hybrid signatures. CFRG should address this issue and
> take a proactive stance towards NIST by engaging in discussions regarding
> the publication of FIPS 186-5 as well as PQC and hybrid standards later on.
>
> Best regards,
> Marek
>
>
>
> On Thu, Nov 18, 2021 at 7:20 PM Dan Brown <danibrown@blackberry.com>
> wrote:
>
> > D. J. Bernstein wrote (on Friday, November 12, 2021 4:28 AM)
> >  ...
> > I would like to see CFRG instead advising integration of ECC into all
> post-
> > quantum deployments for the foreseeable future. There's no reason that
> this
> > advice has to wait for NISTPQC standards.
> > ...
>
> I largely agree with the point above (as some might recall from my past
> CFRG
> messages).
>
> Hybrid cryptography in IETF ought to be encouraged by CFRG. At minimum,
> hybrid
> ought to be an option for sensitive applications (high-value data, needing
> long-term protection), where the cost seems worth the benefit.  As an
> exception, an IETF WG with low-value, short-term data and little budget
> for
> cryptography, might opt for a single non-hybrid PQC algorithm option.
>
> Real-time authentication (e.g., signature-based server authentication in
> TLS),
> might have less risk than other applications (e.g., TLS key exchange),
> because
> new attacks discovered in the future (e.g., relevant quantum computer)
> cannot
> retroactively break today's real-time authentication. Nonetheless, hybrid
> signatures may still be worth the cost?
>
> For certificate structuring, I don't know which is better: (1)
> certificates
> with hybrid-signatures, or (2) multiple certificates with a
> single-algorithm
> signatures (or (3)=(1)+(2)), but CFRG could contribute significantly to a
> recommendation on this issue (e.g. comments already made in this thread).
> Perhaps CFRG should defer this more protocol-specific detail to LAMPS?
>
> Organizationally, NIST and IETF could continue to have some interoperable
> cryptography options, while working independently on non-interoperable
> cryptography options (i.e., hybrid interoperability ;).
>
> Best regards,
>
> Dan
>
> PS. A simplistic cost-benefit approach to choosing hybrid cryptography:
> https://eprint.iacr.org/2021/608
> Better methods ought to be possible.   A discussion on this at
> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OpFVbuMYk8c
>
>
> ----------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from
> your system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


Thanks for sharing. Could you elaborate more on why you do not support the
Hybrid approach? You said "Thus, I do not support the Hybrid approach" but
did not establish a predicate for this conclusion.

Thank you,
Soatok

v2.23.0 | Report a Bug | By Email