Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
"D. J. Bernstein" <djb@cr.yp.to> Thu, 07 March 2024 21:26 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55DBC14F5F9 for <pqc@ietfa.amsl.com>; Thu, 7 Mar 2024 13:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTJlRtXlc2aw for <pqc@ietfa.amsl.com>; Thu, 7 Mar 2024 13:26:09 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 1A416C14F5F4 for <pqc@ietf.org>; Thu, 7 Mar 2024 13:26:08 -0800 (PST)
Received: (qmail 15883 invoked by uid 1010); 7 Mar 2024 21:26:08 -0000
Received: from unknown (unknown) by unknown with QMTP; 7 Mar 2024 21:26:08 -0000
Received: (qmail 1970986 invoked by uid 1000); 7 Mar 2024 21:26:02 -0000
Date: Thu, 07 Mar 2024 21:26:02 -0000
Message-ID: <20240307212602.1970984.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc@ietf.org
Mail-Followup-To: pqc@ietf.org
In-Reply-To: <LO0P123MB6702BFDC406A1D4436A50F80A8202@LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/oMyla3onVt5fd-Fx7pr6b-iNMdg>
Subject: Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 21:26:13 -0000
Sorry for not having had a chance to look at this draft earlier. We _hope_ that cryptography is secure. However, beyond some corner cases, we don't _know_ that it's secure. In many cases, it turns out _not_ to be secure. For example, NSA's 1993 "Secure Hash Algorithm" (SHA, later renamed SHA-0) is not actually secure. Labeling it as "secure" was always overstating the available knowledge, communicating something unjustified---and, as we subsequently learned, false---to readers. It's fine to _ask_ whether cryptography is secure. _Declaring_ that it's secure is unwarranted hype. I am also opposed to any attempt to redefine "cryptography" to include only secure cryptography. This isn't just encouraging hype: it's also * stomping on an established name to mean something different, * creating unnecessary difficulties for people who want to talk about the original concept, and * hiding an important qualifier that's often not satisfied and that should be made explicit. To reiterate an earlier pqc@ietf.org discussion: MD5 is still cryptography. Papers breaking MD5 still count as cryptanalysis. The Caesar cipher is still a cipher and appears in cryptography textbooks. I coined the phrase "post-quantum cryptography" in 2003. An important feature of the phrase is that, just like "cryptography", it is _not_ saying that the cryptography is secure. One can and should _ask_ whether post-quantum cryptography is secure, i.e., whether the cryptography can be broken by an attacker with a quantum computer; but _declaring_ that it's secure is again unwarranted hype. As an example (again repeated from an earlier discussion) of why it's important to not bake security into the terminology, imagine the statement In this section, we briefly give an overview of the main families for which post-quantum primitives have been proposed ... One such proposal is based on evaluating isogenies on supersingular elliptic curves from https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf being instead written using the "quantum-resistant" terminology--- In this section, we briefly give an overview of the main families for which quantum-resistant primitives have been proposed ... One such proposal is based on evaluating isogenies on supersingular elliptic curves ---and then imagine how we would describe the public break of SIKE: * Attempt 1: "We told you it's quantum-resistant, and now we're telling you it's broken. See how much better informed we are now?" * Attempt 2: "Quantum-resistant is actually defined to mean not known to be broken, so what we said was correct. Misleading you was an accident, really." * Attempt 3: "Okay, yes, we were hyping the security to manipulate you into taking action, but we didn't actually expect you to believe what we were saying." See my email dated 15 Sep 2023 20:17:27 -0000 for further discussion of how this deceptive terminology can create real security failures. Obviously I am also opposed to stomping on the established name "post-quantum cryptography" to mean quantum-resistant. I finally had a moment to look at draft-ietf-pquip-pqt-hybrid-terminology-02 and was surprised to read its definition of "post-quantum algorithm": An asymmetric cryptographic algorithm that is believed to be secure against attacks using quantum computers as well as classical computers. Post-quantum algorithms can also be called quantum-resistant or quantum-safe algorithms. This is conflating different concepts. "Quantum-resistant" and "quantum-safe" both communicate security. The words were chosen to communicate this in the first place. A definition saying "believed to be secure" is understating the intent and effect of the words. "Post-quantum" is a neutral timeline phrase that does _not_ communicate security. Saying "believed to be secure" is overstating the intent and effect of the words. I would define "post-quantum cryptography" as "cryptography under the assumption that the attacker has a quantum computer", and "pre-quantum cryptography" as "cryptography under the assumption that the attacker does not have a quantum computer". I would add a cautionary note saying "In exactly the same way that cryptography is not necessarily secure, post-quantum cryptography is not necessarily secure." I would also add a note advising against usage of the phrases "quantum-resistant cryptography" and "quantum-safe cryptography". ---D. J. Bernstein
- [Pqc] [WG last call] IETF WG state changed for dr… Sofía Celi
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Re: [Ext] [WG last call] IET… Mike Ounsworth
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Flo D
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Peter C
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Rebecca Guthrie
- Re: [Pqc] [WG last call] IETF WG state changed fo… Hale, Britta (CIV)
- Re: [Pqc] [WG last call] IETF WG state changed fo… Stephen Farrell
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [WG last call] IETF WG state changed fo… Sofía Celi
- Re: [Pqc] [WG last call] IETF WG state changed fo… Flo D
- Re: [Pqc] [WG last call] IETF WG state changed fo… D. J. Bernstein