Nor are we talking about what comes to mind for engineers accustomed to classical cryptography when you say Hybrid.
(Such engineers typically envision some combination of asymmetric key encapsulation with symmetric encryption; because too many people encrypt with RSA directly and the sane approach is often described as a Hybrid Cryptosystem in the literature.)
Because that’s what I was expecting when I read the headline.
In a similar vein, when the post uses “PQ” to mean post-Quantum, it never states that PQ means post-quantum, and that sent me casting around for a few minutes. It might be good to call that out, too.
I like this analysis:
It’s very tempting to look at this and think, “Wow, that’s a lot of work for something that only helps in 12.5% of possible outcomes!” Uri didn’t explicitly state this assumption, and he might not even believe that, but it is a cognitive trap that emerges in the structure of his argument, so watch your step.
Second, for many candidate algorithms, we’re already in scenario 6 that Uri outlined! It’s not some hypothetical future, it’s the present state of affairs.
and I think it’d be worth pointing out that “hybrid is useless but does not further compromise security” is really the default for the other scenarios. Because some of them read like hybrid is a liability in that regard too.
In a similar vein, when the post uses “PQ” to mean post-Quantum, it never states that PQ means post-quantum, and that sent me casting around for a few minutes. It might be good to call that out, too.
Uri’s logic matrix copied in the post is interesting but doesn’t take into account the evolution of the post-quantum ecosystem. It also appears to assume that all post-quantum algorithms are of equal strength and they manifestly are not. For now, a hybrid KEM protects against existing attacks while giving the community a chance to improve attacks against post-quantum algorithms until there are stand-out winners. That’s how we safely reach this eventual outcome:
CRQC arrived, Classic hold against classic attacks, PQ algorithms hold - hybrid can now be retired
We’re not ready yet.
Personally, I think composite is a better option for security than layered.
One additional pet bug-bear not covered: current PQ is currently computationally expensive and exposing that to the Internet as the first layer is a DoS attack issue, if you’re doing client authentication. We don’t deploy 16384-bit RSA keys or the like, but from what I’ve seen a lot of the PQ seems to be equivalently heavy.
So for link security, using classic crypto as the first layer protects you against a CPU exhaustion attack because anyone who can cause you to “waste” time on the PQ crypto must already have a CRQC to break your classic crypto.
When running a web-server, there’s a huge difference between “three intelligence agencies and two corporations can break the classic crypto and we need PQ crypto as a second layer, and they can impose costs on us” and “every script kiddie on the planet can just use a botnet to trivially DoS the server by just starting handshakes”.
None of this applies to server-only authentication, you’re having to do the session work for every visitor anyway. This is entirely about “the side which verifies” limiting how much work they can be forced to waste.
Thanks for (almost) leading with
Because that’s what I was expecting when I read the headline.
In a similar vein, when the post uses “PQ” to mean post-Quantum, it never states that PQ means post-quantum, and that sent me casting around for a few minutes. It might be good to call that out, too.
I like this analysis:
and I think it’d be worth pointing out that “hybrid is useless but does not further compromise security” is really the default for the other scenarios. Because some of them read like hybrid is a liability in that regard too.
Good point, thanks! I’ll fix that posthaste
Same for me with CRQC
Clearly PQ refers to Perceptual Quantiser, gotta make sure your crypto works in HDR these days!
Ohhh so that’s what all the talk about perceptual hashing is
Uri’s logic matrix copied in the post is interesting but doesn’t take into account the evolution of the post-quantum ecosystem. It also appears to assume that all post-quantum algorithms are of equal strength and they manifestly are not. For now, a hybrid KEM protects against existing attacks while giving the community a chance to improve attacks against post-quantum algorithms until there are stand-out winners. That’s how we safely reach this eventual outcome:
CRQC arrived, Classic hold against classic attacks, PQ algorithms hold - hybrid can now be retired
We’re not ready yet.
Agree!
Entirely off topic, but I finally see how OwO is supposed to look like a face :)
One additional pet bug-bear not covered: current PQ is currently computationally expensive and exposing that to the Internet as the first layer is a DoS attack issue, if you’re doing client authentication. We don’t deploy 16384-bit RSA keys or the like, but from what I’ve seen a lot of the PQ seems to be equivalently heavy.
So for link security, using classic crypto as the first layer protects you against a CPU exhaustion attack because anyone who can cause you to “waste” time on the PQ crypto must already have a CRQC to break your classic crypto.
When running a web-server, there’s a huge difference between “three intelligence agencies and two corporations can break the classic crypto and we need PQ crypto as a second layer, and they can impose costs on us” and “every script kiddie on the planet can just use a botnet to trivially DoS the server by just starting handshakes”.
None of this applies to server-only authentication, you’re having to do the session work for every visitor anyway. This is entirely about “the side which verifies” limiting how much work they can be forced to waste.