+1 to what Dan says below. From: D. J. Bernstein <d...@cr.yp.to> Date: Saturday, 23 November 2024 at 16:04 To: tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS Ilari Liusvaara writes: > The argument forgets that to break ECC+PQ, the attacker has to break > _either_: > a) ECC and PQ. > b) The hybrid construction.
The combiner is much simpler than the PQ system. Furthermore, the main way that academics manufacture literature on combiner attacks is by hyping obscure security properties---whereas there are many more PQ attack papers aiming for, and often achieving, devastating breaks. https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.cr.yp.to%2F20240102-hybrid.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C54e98d06552f4a0d47dd08dd0bd0120f%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638679710470218933%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6LgFCaILSoB5xu9f3NekoIcwMQQ3QpiVzGv2PvzRfxU%3D&reserved=0<https://blog.cr.yp.to/20240102-hybrid.html> includes examples of how things could go wrong with hybrids, and compares those risks to the risks of PQ breaks. > The risk from b) is very different for encryption and signatures. I agree that encryption differs from signatures in the combiner details and in the combiner security analyses. However, in both cases we're talking about a much smaller attack surface than the PQ system. The possibility of combiner attacks doesn't justify exposing users to the much bigger risk of PQ breaks. Here's a concrete example of how arguments about combiner details are regarding much smaller security risks than PQ breaks. One of my objections to X-Wing is that---even if we assume that the application specifically wants to use Kyber---reviewing the security claims for the X-Wing construction requires checking a claimed proof of some properties of Kyber. It's not even clear what security level is being claimed for those specific properties, and in any case I don't like the fact that overloaded security reviewers are being asked to do extra work so that X-Wing can skip a trivially affordable hash call. But it's much more challenging to review the analyses of lattice attacks, a complicated topic where the state of the art keeps changing, with mistakes found all the time---often mistakes that had lasted for years. Gentry's original ideal-lattice-based STOC 2009 FHE system wasn't broken until 2014. The "Round2" lattice-based submission to NIST wasn't broken until 2020. The 2010 paper introducing what's now called "FrodoKEM" estimated security 2^150 for lattice dimension 256, which today sounds absurd. https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2024%2F739&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C54e98d06552f4a0d47dd08dd0bd0120f%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638679710470238302%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tSiqGijBbvndrxaTOdCXMoc70ND2aqb9socrn9jeRKA%3D&reserved=0<https://eprint.iacr.org/2024/739> exploits a 40-bit error in NIST's evaluation of the impact of memory-access costs upon Kyber-512 security. Et cetera. Using the cost of security review as a predictor of failure probability says that, whatever chance there is of the combiner failing, we have to be much more worried about Kyber. As for impact, Shoup pointed out in https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2001%2F112&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C54e98d06552f4a0d47dd08dd0bd0120f%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638679710470249773%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=aPfzudcjGlyO1wH9BrOyzLXHjUcjJi7%2F4rNAQ7ARpSQ%3D&reserved=0<https://eprint.iacr.org/2001/112> that most protocols are fine with "benign malleability". In that context, a combiner that simply hashes together two session keys is just fine, and the extra goals of X-Wing don't matter. Similarly, a signature combiner that simply concatenates two signatures is just fine for most applications. Meanwhile a typical PQ break recovering keys is a disaster for all of these applications. I'm in favor of slightly more complicated combiners (Chempat for KEMs, https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fcfrg%2FLdvasJBpseekZtQkQF1nuPPDH_s%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C54e98d06552f4a0d47dd08dd0bd0120f%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638679710470260551%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ZXDxn5Tjacf6ezpFqtlA87qsB%2Bk%2F6zazeRRxU3cmJg8%3D&reserved=0<https://mailarchive.ietf.org/arch/msg/cfrg/LdvasJBpseekZtQkQF1nuPPDH_s/> for signatures), in part because some cheap extra hashing occasionally compensates for carelessness in protocol designs, and in part to fix the verification disconnect between * protocol analyses assuming IND-CCA2 (and SUF-CMA and so on) and * simple concatenation not generically guaranteeing IND-CCA2 against breaks of one component. But the impact of attacks here is not on the same scale as a PQ break recovering keys. > With encryption, it is small risk because the constructions are simple > and quite resilient to flaws (outside memory safety) in real world. Again, having a signature that internally concatenates two signatures is simple and works fine for most applications (e.g., TLS), the same way that having a KEM session key that internally hashes together two KEM session keys is simple and works fine for most applications (e.g., TLS). The more complicated combiners mentioned above are still just a few lines of code, with much smaller attack surfaces than PQ systems, in both the encryption case and the signature case. I don't see why one would assign higher risks to signature combiners than to encryption combiners. More to the point, the PQ code is much more complicated than the combiner code, with a vastly more complicated attack story; one has to worry correspondingly more about PQ breaks. > But with signatures, the risks become substantial because: > - Complexity. Some of it to deal with known non-obvious attacks. > - Known unknown attacks. One could use exactly the same words to claim that encryption combiners have "substantial" risks. Arguing about "small" vs. "substantial" risks is pointless without quantification. > Even just the LAMPS composite signature combiner is known to be > cryptographically unsound. Sound signature combiners are in theory > impossible Again, it's easy to manufacture papers hyping minor security properties. This is not how the TLS WG should be making security decisions. As an analogy, imagine someone pushing tomorrow for TLS to endorse QKD since secure public-key cryptography is in theory impossible. The WG should react by asking what notion of security we're talking about, why that notion matters, and what security risks are being incurred by the supposed solution. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
