Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
"D. J. Bernstein" <djb@cr.yp.to> Thu, 07 March 2024 21:26 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55DBC14F5F9 for <pqc@ietfa.amsl.com>; Thu, 7 Mar 2024 13:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTJlRtXlc2aw for <pqc@ietfa.amsl.com>; Thu, 7 Mar 2024 13:26:09 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 1A416C14F5F4 for <pqc@ietf.org>; Thu, 7 Mar 2024 13:26:08 -0800 (PST)
Received: (qmail 15883 invoked by uid 1010); 7 Mar 2024 21:26:08 -0000
Received: from unknown (unknown) by unknown with QMTP; 7 Mar 2024 21:26:08 -0000
Received: (qmail 1970986 invoked by uid 1000); 7 Mar 2024 21:26:02 -0000
Date: Thu, 07 Mar 2024 21:26:02 -0000
Message-ID: <20240307212602.1970984.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc@ietf.org
Mail-Followup-To: pqc@ietf.org
In-Reply-To: <LO0P123MB6702BFDC406A1D4436A50F80A8202@LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/oMyla3onVt5fd-Fx7pr6b-iNMdg>
Subject: Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 21:26:13 -0000
Sorry for not having had a chance to look at this draft earlier.
We _hope_ that cryptography is secure. However, beyond some corner
cases, we don't _know_ that it's secure. In many cases, it turns out
_not_ to be secure.
For example, NSA's 1993 "Secure Hash Algorithm" (SHA, later renamed
SHA-0) is not actually secure. Labeling it as "secure" was always
overstating the available knowledge, communicating something
unjustified---and, as we subsequently learned, false---to readers.
It's fine to _ask_ whether cryptography is secure. _Declaring_ that it's
secure is unwarranted hype.
I am also opposed to any attempt to redefine "cryptography" to include
only secure cryptography. This isn't just encouraging hype: it's also
* stomping on an established name to mean something different,
* creating unnecessary difficulties for people who want to talk about
the original concept, and
* hiding an important qualifier that's often not satisfied and that
should be made explicit.
To reiterate an earlier pqc@ietf.org discussion: MD5 is still
cryptography. Papers breaking MD5 still count as cryptanalysis. The
Caesar cipher is still a cipher and appears in cryptography textbooks.
I coined the phrase "post-quantum cryptography" in 2003. An important
feature of the phrase is that, just like "cryptography", it is _not_
saying that the cryptography is secure. One can and should _ask_ whether
post-quantum cryptography is secure, i.e., whether the cryptography can
be broken by an attacker with a quantum computer; but _declaring_ that
it's secure is again unwarranted hype.
As an example (again repeated from an earlier discussion) of why it's
important to not bake security into the terminology, imagine the
statement
In this section, we briefly give an overview of the main families for
which post-quantum primitives have been proposed ... One such
proposal is based on evaluating isogenies on supersingular elliptic
curves
from https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf being
instead written using the "quantum-resistant" terminology---
In this section, we briefly give an overview of the main families for
which quantum-resistant primitives have been proposed ... One such
proposal is based on evaluating isogenies on supersingular elliptic
curves
---and then imagine how we would describe the public break of SIKE:
* Attempt 1: "We told you it's quantum-resistant, and now we're
telling you it's broken. See how much better informed we are now?"
* Attempt 2: "Quantum-resistant is actually defined to mean not known
to be broken, so what we said was correct. Misleading you was an
accident, really."
* Attempt 3: "Okay, yes, we were hyping the security to manipulate
you into taking action, but we didn't actually expect you to
believe what we were saying."
See my email dated 15 Sep 2023 20:17:27 -0000 for further discussion of
how this deceptive terminology can create real security failures.
Obviously I am also opposed to stomping on the established name
"post-quantum cryptography" to mean quantum-resistant.
I finally had a moment to look at draft-ietf-pquip-pqt-hybrid-terminology-02
and was surprised to read its definition of "post-quantum algorithm":
An asymmetric cryptographic algorithm that is believed to be secure
against attacks using quantum computers as well as classical
computers. Post-quantum algorithms can also be called
quantum-resistant or quantum-safe algorithms.
This is conflating different concepts.
"Quantum-resistant" and "quantum-safe" both communicate security. The
words were chosen to communicate this in the first place. A definition
saying "believed to be secure" is understating the intent and effect of
the words.
"Post-quantum" is a neutral timeline phrase that does _not_ communicate
security. Saying "believed to be secure" is overstating the intent and
effect of the words.
I would define "post-quantum cryptography" as "cryptography under the
assumption that the attacker has a quantum computer", and "pre-quantum
cryptography" as "cryptography under the assumption that the attacker
does not have a quantum computer".
I would add a cautionary note saying "In exactly the same way that
cryptography is not necessarily secure, post-quantum cryptography is
not necessarily secure." I would also add a note advising against usage
of the phrases "quantum-resistant cryptography" and "quantum-safe
cryptography".
---D. J. Bernstein
- [Pqc] [WG last call] IETF WG state changed for dr… Sofía Celi
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Re: [Ext] [WG last call] IET… Mike Ounsworth
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Flo D
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Peter C
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Rebecca Guthrie
- Re: [Pqc] [WG last call] IETF WG state changed fo… Hale, Britta (CIV)
- Re: [Pqc] [WG last call] IETF WG state changed fo… Stephen Farrell
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [WG last call] IETF WG state changed fo… Sofía Celi
- Re: [Pqc] [WG last call] IETF WG state changed fo… Flo D
- Re: [Pqc] [WG last call] IETF WG state changed fo… D. J. Bernstein