Re: [Pqc] Mapping the state of PQC and IETF - ssh

[Alexandre Petrescu <alexandre.petrescu@gmail.com>]

Le 03/03/2023 à 12:25, D. J. Bernstein a écrit :
> Alexandre Petrescu writes:
>> Is this crypto subject to export controls and does it concern me in
>> my country or not?
> 
> For countries following the Wassenaar Arrangement, there are export 
> controls on cryptography, but with a critical exception for 
> open-source software. For example, if you look at page 3 of
> 
> https://www.wassenaar.org/app/uploads/2022/12/List-of-Dual-Use-Goods-and-Technologies-Munitions-List-Dec-2022.pdf
>
>
>
>
>
> 
then you find a blanket exception for software "in the public
> domain", where page 225 defines this as software "which has been made
> available without restrictions upon its further dissemination".
> 
> (There's also a note saying that "copyright restrictions do not 
> remove 'technology' or 'software' from being 'in the public domain'".
> This is generally understood to mean that CC0, MIT, GPL, etc. are all
> okay; just don't try to hide the source code or to charge per copy.)
> 
> Beyond the open-source exception, post-quantum cryptography was an 
> accidental exception to the Wassenaar Arrangement until 2018, because
> of the following series of events:
> 
> * Last century, there wasn't the open-source exception in the U.S. 
> The people in charge at NSA were using other exceptions to promote 
> weak cryptography, with considerable success.
> 
> * For example, they set up fast procedures (see page 12 of 
> https://web.archive.org/web/19970528120806/http://www.pmdtc.org/dtn/DTN1092.PDF)
>
>
>
>
>
> 
to approve deployments of 40-bit RC4. RC4 is weak even with larger
> keys; we didn't manage to stamp it out until decades later.
> 
> * After some policy evolution, the Wassenaar Arrangement ended up 
> controlling cryptography "in excess of 56 bits of symmetric key 
> length, or equivalent" (see, e.g., page 93 of the 2017 version: 
> https://www.wassenaar.org/app/uploads/2019/consolidated/2017-List-of-DU-Goods-and-Technologies-and-Munitions-List.pdf).
>
>
>
>
>
> 
* The procedures surrounding the Wassenaar Arrangement require that
> listed items be clearly defined, so someone went through giving a 
> concrete definition of "in excess of 56 bits of symmetric key length,
> or equivalent".
> 
> * Specifically, the definition says that "in excess of 56 bits of 
> symmetric key length, or equivalent" means a "symmetric algorithm" 
> with >56 key bits ("not including parity bits"), or an "asymmetric 
> algorithm" based on "any of the following: 1. Factorisation of 
> integers in excess of 512 bits (e.g., RSA); 2. Computation of 
> discrete logarithms in a multiplicative group of a finite field of 
> size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or 3. 
> Discrete logarithms in a group other than mentioned in paragraph b.2.
> in excess of 112 bits (e.g., Diffie-Hellman over an elliptic 
> curve)."
> 
> Eventually (to my disappointment) someone on that side noticed that 
> this didn't cover post-quantum systems. In 2018, the Wassenaar 
> Arrangement added "asymmetric algorithms" where "the security of the
>  algorithm is based on any of the following: 1. Shortest vector or 
> closest vector problems associated with lattices (e.g., NewHope, 
> Frodo, NTRUEncrypt, Kyber, Titanium); 2. Finding isogenies between 
> Supersingular elliptic curves (e.g., Supersingular Isogeny Key 
> Encapsulation); or 3. Decoding random codes (e.g., McEliece, 
> Niederreiter)".
> 
> Today, as in the 1990s, the export laws create incentives to deploy 
> weak cryptography (e.g., RSA-512) and avoid strong cryptography, 
> including post-quantum cryptography. However, given
> 
> * the evidence of large-scale attackers already recording user data 
> for subsequent decryption,
> 
> * the risk that the attackers will have big quantum computers when 
> some of that data should still be confidential (think about, e.g., 
> whistleblowers talking to journalists), and
> 
> * the blanket exception in the Wassenaar Arrangement for open-source 
> software,
> 
> my recommendation is to proceed with immediate post-quantum 
> deployment, obviously using open-source software!
> 
> There's continual anti-cryptography lobbying from various agencies. 
> It's conceivable that at some point they'll have the political power
>  to remove the open-source exception in the Wassenaar Arrangement, to
>  undo the constitutional constraints on cryptography censorship in
> the U.S., etc. These risks aren't a reason to avoid taking action
> now; tomorrow's changes in the law can't retroactively punish today's
>  lawful actions.
> 
> There are also various efforts by NSA et al. to _slow down_ 
> deployment of post-quantum cryptography. I don't believe that going 
> along with these efforts is consistent with 
> https://www.rfc-editor.org/rfc/rfc7258 ("Pervasive Monitoring Is an 
> Attack"), specifically Section 2 ("The IETF Will Work to Mitigate 
> Pervasive Monitoring").
> 
> For your specific situation, you have to check on the details of the
>  law in your own country. For example, in the U.S., there's a 
> regulation demanding that you send email to enc@nsa.gov and 
> crypt@bis.doc.gov at the time of publication, but I'm skeptical that
>  this will survive court scrutiny.

Thanks for the description and suggestion.

For my specific situation, I kind of raised a questionary comment about
quantum resistance algos and export control during a TTC export controls
discussion (TTC stands for technology and trade council or commission or
similar, between EU and US, covering many trade and technology aspects,
so I asked whether the technology quantum encryption too might become
part of export controls and how; for some reason the question is under
consideration for some time now; the TTC is free access to TTC-inclined
people, meets regularly, has WG on 'standards').

I kind of suppose that if the algos are purely US inventions then they
might become (or not?) export controlled to some countries; but to be
understood under the explanation you gave above, in the better, about
the Wassenaar concept.

> At the opposite extreme, my understanding is that Russia demands back
> doors in cryptography whether or not it's exported.

Hm, good to know, I dont know.  I have not seen a change in stance from
Russia with respect to crypto export controls recently, but I dont know
their initial stance on crypto tech export controls either; it might be
as you say - backdoors imposed, I dont know.

I did see many changes in stance from Russia recently, but it is in what
concerns other Internet aspects (not crypto) - things like blocking
some western websites, independent pursuit of 5G trials, potentially
separation of 5G Internet standardisation (balance to Asia), separate
Internet from lower orbit space like Marathon (but it was so before too,
with old Molniya), and similar.  These 'pivots' so to say are in a
direction of more security, it is obvious, but they dont say 'quantum'
anywhere, so it's not immediately obvious to see how Russia considers
quantum resistance.

I this field, I suppose that Russia might want in the near future to
develop its own concept of quantum resistance, however hard that might
seem, i.e. regardless of cost.

Alex

> 
> ---D. J. Bernstein
>