Re: [CFRG] NSA vs. hybrid
Soatok Dreamseeker <soatok.dhole@gmail.com> Thu, 02 December 2021 13:26 UTC
Return-Path: <soatok.dhole@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19DDC3A10CF for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 05:26:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISEgg9v8D1Tr for <cfrg@ietfa.amsl.com>; Thu, 2 Dec 2021 05:26:14 -0800 (PST)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9DE93A10C6 for <cfrg@irtf.org>; Thu, 2 Dec 2021 05:26:13 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id c4so59643087wrd.9 for <cfrg@irtf.org>; Thu, 02 Dec 2021 05:26:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=obzVRmNhwmc7Vr1bEQS00ceAXC9wX5NZF/UD2QdYwBU=; b=MJue8ey8qOI/SN50TpUMViGj7CXWTWv+4/VnNHt5x128UmTSxwJef7GdqdKmRsY04i Qz00dHiw059huDbvjtpGGqoXzg/RNDpagyS/74eeZCB52V6eWaBIY2RN6FBNK9AGNLVt 55yiQewT8083+CSS2TvenU8C7/X4S/+bTt7LcraPLPPxt50x0e1mBo4VdYfiHpKwLKj4 QZecBXfV0sXFXKA3hd7/b+zY7efK06zWxfBlbJBnRYnY5uJ5GwrGVXQGin76sfiDtRzr KteqxfjVP97NztaBJ/qMtJgXLI8wQEf+uMpvLZE7ObaeO6BYs3eTimLk+MMJMa9laC6Y DKFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=obzVRmNhwmc7Vr1bEQS00ceAXC9wX5NZF/UD2QdYwBU=; b=4W/Ve8dbQf1gKgLuXEsdHbKvRNsljEoEpNgXWva5wz4DlBMTrycJN3pYRxRUfLOvcs 0i5G3MXyMVDmnrcD9S7OmGYjXSzqb4deDZbrgGrUJoZZN8GiLueClO6VM7lTBhMGOjA/ CA3gUgjqvpFvpvA68iPGQ+5D9c+RZawk0g6mlx70ta8jzgCJPvs8LRIgMYCytj46LTEQ /VMjKdBGxsknIvvHhAR9/0HGHb9oEPIBIc2TEEIxLQE+75GhYpk7oKW6OJyg/BFynlsl s8f1CmWs81uno+aFb+VFO9GYLiEOL3Xuf2yWW0Vqvwve3wrEBKt5arFSO0ADfaiczyRq 5eJQ==
X-Gm-Message-State: AOAM5331UMPsBPozOVEVqkltig+6gJ5esSoEBDX93nEBa5r66VJnb6ni 2CwYJTWYI5738iUppE1Jql/LGaPVibqrxnNWX4A=
X-Google-Smtp-Source: ABdhPJzlrtXFxwgS1zKK0cWQJULjsZLsu7iU6YO05kD3ujjgQmcigxuaxdUR608e3zconyyNc50rLfCbk0CfSvC0iIs=
X-Received: by 2002:adf:f98c:: with SMTP id f12mr14526259wrr.184.1638451570933; Thu, 02 Dec 2021 05:26:10 -0800 (PST)
MIME-Version: 1.0
References: <20211112092811.628364.qmail@cr.yp.to> <9588651a323a489e8e4956e08a64b55f@blackberry.com> <CAMCcN7TmFuu-msYvmWDV=c3R=Vxyg9MBV++o3BfVDHEj8i3NmA@mail.gmail.com> <D598FD2A-A2F3-4B91-9F11-70412E17D7A8@ll.mit.edu>
In-Reply-To: <D598FD2A-A2F3-4B91-9F11-70412E17D7A8@ll.mit.edu>
From: Soatok Dreamseeker <soatok.dhole@gmail.com>
Date: Thu, 02 Dec 2021 08:25:59 -0500
Message-ID: <CAOvwWh2s5m1Lu-EHFOHaCyKd8PQS6DSVHEWM5R9CW382+b62pw@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000de039b05d229bb4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zAQrY7BFu4LfWJEBF1c28cXoXpo>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 13:26:19 -0000
Hi Uri, On Thu, Dec 2, 2021 at 7:55 AM Blumenthal, Uri - 0553 - MITLL < uri@ll.mit.edu> wrote: > NIST did not invent the finalists – some of them have more than two > decades of research behind them. Situation looks comparable to that with > RSA and ECC when those algorithms were brought into standards. > > > > Thus, I do not support the Hybrid approach. > > -- > > Regards, > > Uri > > > > *There are two ways to design a system. One is to make it so simple there > are obviously no deficiencies.* > > *The other is to make it so complex there are no obvious deficiencies.* > > * > - > C. A. R. Hoare* > > > > > > *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Marek Jankowski < > mjankowski309@gmail.com> > *Date: *Thursday, December 2, 2021 at 06:23 > *To: *Dan Brown <danibrown@blackberry.com> > *Cc: *CFRG <cfrg@irtf.org>, "D. J. Bernstein" <djb@cr.yp.to> > *Subject: *Re: [CFRG] NSA vs. hybrid > > > > Joining Dan, I too believe that the vetting of PQC algorithms should > originate in a public process, and that NIST has not yet proven we should > rely on the finalists alone. I find it important that CFRG advise upon > hybridization both in KEMs and signatures, although I don't have a strong > opinion in the composite vs multi-certs debate. > In the same context, I worry that not having a FIPS standard for Ed25519, > the result of FIPS 186-5's publication being delayed, might cause a delay > in adoption of PQ+EC hybrid signatures. CFRG should address this issue and > take a proactive stance towards NIST by engaging in discussions regarding > the publication of FIPS 186-5 as well as PQC and hybrid standards later on. > > Best regards, > Marek > > > > On Thu, Nov 18, 2021 at 7:20 PM Dan Brown <danibrown@blackberry.com> > wrote: > > > D. J. Bernstein wrote (on Friday, November 12, 2021 4:28 AM) > > ... > > I would like to see CFRG instead advising integration of ECC into all > post- > > quantum deployments for the foreseeable future. There's no reason that > this > > advice has to wait for NISTPQC standards. > > ... > > I largely agree with the point above (as some might recall from my past > CFRG > messages). > > Hybrid cryptography in IETF ought to be encouraged by CFRG. At minimum, > hybrid > ought to be an option for sensitive applications (high-value data, needing > long-term protection), where the cost seems worth the benefit. As an > exception, an IETF WG with low-value, short-term data and little budget > for > cryptography, might opt for a single non-hybrid PQC algorithm option. > > Real-time authentication (e.g., signature-based server authentication in > TLS), > might have less risk than other applications (e.g., TLS key exchange), > because > new attacks discovered in the future (e.g., relevant quantum computer) > cannot > retroactively break today's real-time authentication. Nonetheless, hybrid > signatures may still be worth the cost? > > For certificate structuring, I don't know which is better: (1) > certificates > with hybrid-signatures, or (2) multiple certificates with a > single-algorithm > signatures (or (3)=(1)+(2)), but CFRG could contribute significantly to a > recommendation on this issue (e.g. comments already made in this thread). > Perhaps CFRG should defer this more protocol-specific detail to LAMPS? > > Organizationally, NIST and IETF could continue to have some interoperable > cryptography options, while working independently on non-interoperable > cryptography options (i.e., hybrid interoperability ;). > > Best regards, > > Dan > > PS. A simplistic cost-benefit approach to choosing hybrid cryptography: > https://eprint.iacr.org/2021/608 > Better methods ought to be possible. A discussion on this at > https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OpFVbuMYk8c > > > ---------------------------------------------------------------------- > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be unlawful. > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg Thanks for sharing. Could you elaborate more on why you do not support the Hybrid approach? You said "Thus, I do not support the Hybrid approach" but did not establish a predicate for this conclusion. Thank you, Soatok
- [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Stephen Farrell
- Re: [CFRG] NSA vs. hybrid Scott Fluhrer (sfluhrer)
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Jeff Burdges
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Ilari Liusvaara
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Soatok Dreamseeker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid D. J. Bernstein
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Phillip Hallam-Baker
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Dan Brown
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Martin Thomson
- Re: [CFRG] NSA vs. hybrid Andrey Jivsov
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Loganaden Velvindron
- Re: [CFRG] NSA vs. hybrid Richard Outerbridge
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Christopher Peikert
- Re: [CFRG] [EXTERNAL] Re: NSA vs. hybrid Mike Ounsworth
- Re: [CFRG] NSA vs. hybrid Marek Jankowski
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] NSA vs. hybrid Mike Hamburg
- Re: [CFRG] NSA vs. hybrid Natanael
- Re: [CFRG] Re: NSA vs. hybrid Björn Haase