> I think it's clearer to look at what NSA posts online (and
> which was the basis for the talk)
>
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[from NSA FAQ]=C2=A0 The int=
ention is to update CNSA to remove
&g=
t; =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0quantum-vulnerable algorithms and re=
place them with a subset
>=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 of the quantum-resistant algorithms selected=
by NIST .=C2=A0 .=C2=A0 .
>
> =C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[..] CNSSP-15 will be updated with =
a timeline for required
>=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 use of the post-quantum algorithms and disuse o=
f the
>=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 quantum-vulnerable portion of the current CNSA Suite
>
=
> both sound like a swap, not like an overlapping period.
Of course! What el=
se is news?
NSA controls CNSA (the suite that you don=E2=80=99t have t=
o use, BTW), and they
I think the following is the succinct summary of this long ex=
change:
>=C2=A0=C2=A0 =
.=C2=A0 .=C2=A0=C2=A0 .=C2=A0 The NSA speaker . . . made a point against
>=C2=A0=C2=A0 hybrids =C2=A0.=C2=A0 =
.=C2=A0 .
>
>=C2=A0=C2=A0 I=
see this as a strong argument for NIST to include hybrids in the
>=C2=A0=C2=A0 standards.
I see this=
as a strong argument that
So, if you want to see protocols =
include hybrid =E2=80=93 then IETF, and not NIST, is where it=E2=80=99s bei=
ng discussed.
You might be happy to =
learn that the majority at IETF leans that way =E2=80=93 to use NIST alg=
orithms in a hybrid protocol.
Now, a funny bit. I was against hybrid, and did n=
ot plan to use it. Now my design uses hybrid protocol. For reasons t=
hat have nothing to do with security of PQ KEMs.
=C2=A0=C2=A0=C2=A0 On Wed=
, Aug 10, 2022 at 08:56:09PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
=C2=A0=C2=A0=C2=A0 > > > A co=
lleague told me that she questioned this, and the clarification
=C2=A0=C2=A0=C2=A0 > > > was that they =
"don't plan to REQUIRE hybrids".
=C2=A0=C2=A0=C2=A0 > >
=
=C2=A0=C2=A0=C2=A0 > > That's not a clarification; it's a secondhand =
rumor that's completely
=C2=A0=C2=A0=
=C2=A0 > > inconsistent with what the NSA slide
=C2=A0=C2=A0=C2=A0 > > https://web.archive.org/web/2=
0220524232249/https://twitter.com/mjos_crypto/status/1433443198534361101/ph=
oto/1
=C2=A0=C2=A0=C2=A0=C2=A0> <= o:p>
=C2=A0=C2=A0=C2=A0=C2=A0> I'm not =
arguing - I'm simply sharing what I was told when I asked, because that sli=
de surprised me too.
=C2=A0=C2=A0=C2=
=A0 >
=C2=A0=C2=A0=C2=A0=C2=A0>=
; Of course, in any case, it would only apply and matter to those who seek =
NSA approval or certification of their products, which in turn is only rele=
vant to stuff that protects Classified data (for DoD and such).
=C2=A0=C2=A0=C2=A0 >
=C2=A0=C2=A0=C2=A0=C2=A0> > Even if there's enough pr=
essure at some
=C2=A0=C2=A0=C2=A0 >=
; > point to force NSA to publicly switch to allowing hybrids, vendors h=
ave
=C2=A0=C2=A0=C2=A0 > > alre=
ady received the memo that NSA doesn't want hybrids. (The slide was
=C2=A0=C2=A0=C2=A0 > > presented at th=
e International Cryptographic Module Conference.)
=C2=A0=C2=A0=C2=A0 >
=C2=A0=C2=A0=C2=A0=C2=A0> If what I've been told is correct - and I've =
no reason to assume otherwise - hybrids *can* be approved by NSA, i.e., alr=
eady *are* allowed, just not "encouraged". I understand that me s=
haring what I've heard may not be sufficient - is there a way to get an off=
icial answer from NSA on this?
=C2=A0=
=C2=A0=C2=A0 >
=C2=A0=C2=A0=C2=A0=
=C2=A0> But, frankly, I don't see why vendors would implement hybrid in =
the first place in the products that require NSA approval, if NSA doesn't r=
equire it. And the fact that NSA does not like hybrids and won't require th=
em is incontestable (unless they change their opinion in the future, which =
I doubt).
=C2=A0=C2=A0=C2=A0 >
=C2=A0=C2=A0=C2=A0=C2=A0> > In th=
is environment, it's critical to know whether NIST's post-quantum
=C2=A0=C2=A0=C2=A0 > > standards will re=
quire hybrids.
=C2=A0=C2=A0=C2=A0 >=
;
=C2=A0=C2=A0=C2=A0=C2=A0> I thi=
nk NIST standards are orthogonal to use of hybrids, and it won't make any s=
ense for NIST to require them. NIST standardizes KEMs. You want to combine/=
concatenate several of the standardized KEMs, and maybe add ECC and/or RSA =
to the mix? Fine, just don't try to force me to do the same.
=C2=A0=C2=A0=C2=A0 >
=C2=A0=C2=A0=C2=A0=C2=A0>
=C2=A0=C2=A0=C2=A0=C2=A0> > > > NSA has direct control ove=
r large volumes of U.S. government purchasing
=C2=A0=C2=A0=C2=A0 > > > Not in the non-military/non-DoD,=
AFAIK.
=C2=A0=C2=A0=C2=A0 > ><= o:p>
=C2=A0=C2=A0=C2=A0 > > https://=
en.wikipedia.org/wiki/Military_budget_of_the_United_States says
=C2=A0=C2=A0=C2=A0 > > "the FY2023 de=
fense budget request will exceed $773 billion".
=C2=A0=C2=A0=C2=A0 >
=C2=A0=C2=A0=C2=A0=C2=A0> DoD used to be the biggest and the most in=
fluential customer of companies like Microsoft. It does not seem to be so a=
nymore. I assume NSA would be in the same category. And, as you know, US go=
vernment is a lot more than DoD.