IETF Logo Mail Archive

Re: [Suit] Benjamin Kaduk's No Objection on draft-ietf-suit-architecture-14: (with COMMENT)

Toerless Eckert <tte@cs.fau.de> Fri, 20 November 2020 04:34 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833A73A1834; Thu, 19 Nov 2020 20:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1qiYLY6NL-K; Thu, 19 Nov 2020 20:34:32 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC7813A1833; Thu, 19 Nov 2020 20:34:28 -0800 (PST)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 04C2B548019; Fri, 20 Nov 2020 05:34:22 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id ED00E440059; Fri, 20 Nov 2020 05:34:21 +0100 (CET)
Date: Fri, 20 Nov 2020 05:34:21 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Brendan Moran <Brendan.Moran@arm.com>, Russ Housley <housley@vigilsec.com>, "suit-chairs@ietf.org" <suit-chairs@ietf.org>, suit <suit@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-suit-architecture@ietf.org" <draft-ietf-suit-architecture@ietf.org>
Message-ID: <20201120043421.GT39343@faui48f.informatik.uni-erlangen.de>
References: <160456913386.24093.10722400425795162498@ietfa.amsl.com> <AB676068-F487-4366-9986-B97690CA35F8@arm.com> <20201119111024.GD39170@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20201119111024.GD39170@kduck.mit.edu>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/B4Ruw97XK0tmZ64Qz0qdzQjM_u4>
Subject: Re: [Suit] Benjamin Kaduk's No Objection on draft-ietf-suit-architecture-14: (with COMMENT)
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 04:34:37 -0000

Benjamin, *:

I do not think that the simple extension of the current text explanation
to include "and the trend in quantum annealing capacity" would help:

>From reading Brendans text below and doing a quick search through
[quantum-factorization], it looks to me as if the conclusion
currently written into the draft "... approximately 2030 ..." is an original
research conclusion by Brendan et.al. and can not be directly found in
[quantum-factorization]. The actual reference for the conclusion is
the text below from Brendan, and if the 2030 prediction is to be kept in the
text then readers should be made aware of this original research.

I would obviously like to see the three paragraphs from Brendan put
somewhere into the draft (appendix or the like), but if the authors worry about length, then
they could simply put a reference to Brendans email into the draft
(aka: see [https://mailarchive.ietf.org/arch/msg/suit/Ao2OlGo0yhjLncVftTLAJ2jjw2E/]) 

Cheers
    Toerless

On Thu, Nov 19, 2020 at 03:10:24AM -0800, Benjamin Kaduk wrote:
> Hi Brendan,
> 
> Thanks for the extra reference and discussion about the timescale estimates
> for quantum computers and integer factorization.  (And for accepting most
> of my other comments.)  I see now how the factorization-by-annealing
> reference was intended to be used, and had not been paying close enough
> attention to know the 5640-qbit and doubling-every-two-years numbers for
> D-Wave.
> 
> If I was going to suggest a change to the text, it would be quite small,
> perhaps something like "based on current research [quantum-factorization]
> and the trend in quantum annealing capacity".
> 
> Thanks again,
> 
> Ben
> 
> On Wed, Nov 18, 2020 at 10:05:44PM +0000, Brendan Moran wrote:
> > We will take on board the majority of these comments.
> > 
> > WRT the PQC time horizon, quantum annealing attacks on RSA are dependent commercial quantum annealers.
> > 
> > The paper in nature shows the factorisation of 376,289 in 94 qubits. In fact, other researchers have factored 1,005,973 with only 89 qubits [1]. With this second algorithm, characterised as O(log^2(N)), RSA-768 would require 147,454 qubits. D-Wave has shipped quantum computers with 5640 qubits already. They have a historical average of doubling the number of qubits every two years. Based on this trajectory, they should be shipping a quantum computer that can break RSA-768 in approximately 2030 (log_2(147454/5640)) = 4.7 => 9.4 years. RSA-2048, then, would be broken between 2 and 4 years later, and RSA-4096 a mere 2 years after that.
> > 
> > This is a naive analysis. However, it is intended to show that a scalable general purpose quantum computer is not the only threat to current cryptographic techniques, that the time horizon is not long, and that urgent action is required to ensure that devices with long lifetimes account for EITHER cryptographic agility or quantum safety, preferably the latter, since quantum safe algorithms require much more data than classical asymmetric crypto and, therefore, require extra considerations, particularly when used in constrained IoT.
> > 
> > Obviously, the hole in this analysis is that RSA is not common in IoT. I have not yet found equivalent research that shows how a quantum annealer could attack ECDSA or EDDSA. I assume that there are research teams working on this. We should prepare ourselves for the potential of that particular revelation.
> > 
> > We have not gone into this detail in the architecture because it seems both orthogonal to the general discussion in the architecture, extremely time-sensitive, and extremely algorithm-sensitive. It will be an irrelevant prediction and analysis within a handful of years.
> > 
> > Best Regards,
> > Brendan
> > 
> > [1] https://link.springer.com/article/10.1007/s11433-018-9307-1
> > 
> > 
> > > On 5 Nov 2020, at 09:38, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
> > >
> > > Benjamin Kaduk has entered the following ballot position for
> > > draft-ietf-suit-architecture-14: No Objection
> > >
> > > When responding, please keep the subject line intact and reply to all
> > > email addresses included in the To and CC lines. (Feel free to cut this
> > > introductory paragraph, however.)
> > >
> > >
> > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > https://datatracker.ietf.org/doc/draft-ietf-suit-architecture/
> > >
> > >
> > >
> > > ----------------------------------------------------------------------
> > > COMMENT:
> > > ----------------------------------------------------------------------
> > >
> > > Does the XIP case mean that repeated firmware updates would have
> > > potential to cause undue wear on the fixed flash cells that hold the
> > > firmware image?  If so, this might be noted in the security
> > > considerations.
> > >
> > > I am not sure that I have fully digested Bob Briscoe's detailed review
> > > comments, but it seems like we may want to continue to reflect on which
> > > portions of the architecture will be optional to implement, and how we
> > > might indicate that in the document.
> > >
> > > I also made a pull request for some editorial nits at
> > > https://github.com/suit-wg/architecture/pull/15 .
> > >
> > > Section 1
> > >
> > >   otherwise difficult.  Firmware updates
> > >   for IoT devices are expected to work automatically, i.e. without user
> > >   involvement.  Conversely, IoT devices are expected to account for
> > >   user preferences and consent when scheduling updates.  Automatic
> > >
> > > I can't quite tell if the "Conversely" case is intending to refer to IoT
> > > or non-IoT devices.
> > >
> > >   The firmware update process has to ensure that
> > >
> > >   -  The firmware image is authenticated and integrity protected.
> > >      [...]
> > >
> > >   -  The firmware image can be confidentiality protected so that
> > >      attempts by an adversary to recover the plaintext binary can be
> > >      [...]
> > >
> > > Perhaps it's just because Bob Briscoe's comments are fresh in my mind,
> > > but there seems to be something of a mismatch across these texts -- we
> > > "have to ensure" that the firmware *is* authenticated and integrity
> > > protected, but only that the image *can be* confidentiality protected.
> > > Is it really the case that we can ensure that an update process *can be*
> > > confidentiality protected, or is the confidentiality requirement more of
> > > a requirement on the architecture than on actual deployment?
> > >
> > >   While the IETF standardization work has been focused on the manifest
> > >   format, a fully interoperable solution needs more than a standardized
> > >   manifest.  For example, protocols for transferring firmware images
> > >   and manifests to the device need to be available as well as the
> > >   status tracker functionality.  Devices also require a mechanism to
> > >   discover the status tracker(s) and/or firmware servers, for example
> > >   using pre-configured hostnames or [RFC6763] DNS-SD.  These building
> > >   blocks have been developed by various organizations under the
> > >   umbrella of an IoT device management solution.  The LwM2M protocol is
> > >   one IoT device management protocol.
> > >
> > > We might put some forward references to things we do cover (like status
> > > tracker(s)), and a reference for LwM2M as well.
> > >
> > > Section 3
> > >
> > >   Hence, the following components are necessary on a device for a
> > >   firmware update solution:
> > >   [...]
> > >   -  a status tracker.
> > >
> > > Earlier we said that having the status tracker on the device was fairly
> > > uncommon.
> > >
> > > Section 7
> > >
> > >   time horizon for quantum-accelerated key extraction.  The worst-case
> > >   estimate, at time of writing, for the time horizon to key extraction
> > >   with quantum acceleration is approximately 2030, based on current
> > >   research [quantum-factorization].
> > >
> > > I'm not sure that I see how the reference suports the "approximately
> > > 2030" statement.
> > >
> > >
> > >
> > 
> > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email