Blumenthal, Uri - 0553 - MITLL writes: > we know enough now about the accepted PQ algorithms to be reasonably > certain that they wonât be the weakest part.
Reasonably certain meaning, what, 90% certainty? What's the basis for this claim? And are you saying that a 10% chance of disaster is okay? > Where do you draw the line? Simple: require hybrids. Any upgrade from pre-quantum crypto to post-quantum crypto is obliged to keep the pre-quantum crypto and to use the post-quantum crypto as an extra layer of defense, rather than removing the pre-quantum crypto. This requirement distinguishes "switch from ECC to Dilithium in TLS" (not allowed) from "switch from ECC to ECC+Dilithium in TLS" (allowed), for example. The point is to address the concern that an upgrade to post-quantum crypto will be to something that's actually breakable. This isn't a hypothetical concern. On the mathematical side, CECPQ2b was rolled out with ECC+SIKE, and then the SIKE part was publicly broken; on the implementation side, PQ software is still in the early days of continual discovery of exciting new classes of security failures. Directly addressing this concern reduces security risks and encourages deployment. That's exactly why we see so much hybrid deployment already. People understand and appreciate the idea of (1) rolling something out that _hopefully_ stops quantum attacks while (2) taking reasonable steps to limit the damage in case #1 goes disastrously wrong. There are contrary arguments from NSA and GCHQ for using PQ rather than ECC+PQ. https://blog.cr.yp.to/20240102-hybrid.html quotes and answers those arguments. For example, the generic argument about ECC+PQ being "less efficient" than PQ is easily answered by quantification of how the total ECC+PQ costs are dominated by the PQ communication costs. If, hypothetically, someone proposes requiring ECC+PQ1+PQ2 rather than ECC+PQ1, then I'd ask for that proposal to be addressed separately since analyzing its cost acceptability is much more complicated. See also https://mailarchive.ietf.org/arch/msg/tls/2bRwN2CUGDwDwwpjHI63uyG09Lk/ regarding the idea of making exceptions to ECC+PQ for some PQ systems. These variations are distractions from the simple common-sense step of requiring hybrids. I've seen various comments that come across as "yes, of course we should use hybrids, but the U.S. government won't buy hybrids". I'm skeptical about the accuracy of the won't-buy rumor---NSA's official statements don't sound like a ban on hybrids---and in any case we shouldn't allow money to buy approval of something frivolously incurring security risks. Realistically, what's the problem supposed to be if the TLS WG requires hybrids? Do we really think the WG is so powerless? > I recognize (though disagreeing with) the arguments of those who want > hybrid KEMs. I do not buy the arguments for hybrid signatures at all. Sorry, can you please say what the relevant difference is supposed to be between encryption and signatures? Compared to just PQ, whether for encryption or for signatures, ECC+PQ reduces the damage caused by PQ breaks. Quantifying costs of ECC vs. PQ doesn't give the same numbers for encryption as it does for signatures, but in both cases the total costs of communication and computation for ECC are much smaller than the costs of PQ communication. > This boils down to the need to maintain infrastructure, codebase, etc. > for ECC and PQ, Pointing to the PQ software is wrong when the comparison is between PQ and ECC+PQ. The difference is only the ECC software, which is simpler and vastly more mature than the PQ software. > plus the possible intricacies of their interactions The only ECC+PQ failures that matter are the ones so extreme that they make ECC+PQ _less_ secure than PQ alone would have been. Sure, this can happen: e.g., a quantum computer comes along and then it turns out that someone forgot to verify the PQ part of an ECC+PQ signature. So we build tests for that. The risks here are much more controlled than the risks of further PQ breaks. It makes no sense to worry more about failures in the combiner code than in orders of magnitude more code for the PQ system. Analogous comments apply to mathematical attacks: sure, combiners have an attack surface, but the PQ attack surface is much larger. ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
