[chadgpt3]

Supersingular Isogeny Key Exchange is one that was invented to be quantum-safe but turned out to be unsafe at any speed, so hybrid encryption is still a good idea. You use both a quantum-safe algorithm and a classical algorithm, encrypting your data twice and remaining secure if either one is broken.

[tptacek]

No. "Post-quantum" is not a kind of cryptography; it's an attribute of many different kinds of cryptography. SIKE and modular lattices are completely unrelated. SIKE is moon math that genuinely was introduced to mainstream cryptographers as a post-quantum construction. Lattices have been carefully studied for decades; in the 1990s, it was a live discussion whether the successor to RSA was going to be elliptic curves or lattices.

People bring up SIKE/SIDH in these discussions because Daniel Bernstein has used it as innuendo in his arguments against the MLKEM standard (always left out of those discussions: Bernstein himself backed a lattice KEM in the same competition). It's aggravating because its very clear that he's succeeded in getting people to believe that SIDH somehow reflects on lattice cryptography. That's not a problem because it's persuasive (no cryptographer would take that argument seriously) but rather because he's succeeded in making people say dumb things.

[mswphd]

Worth mentioning the lattice KEM he backed (NTRU prime) is part of a class of lattice-based assumptions that admitted devastating attacks (though not in the parameter regime relevant to public-key cryptography applications). By this I mean the dense sub lattice attacks on NTRU.

He has also repeatedly pointed to (seemingly random) pieces of lattice cryptography and claimed that it is the cause for concern/plausibly where attacks may come from. Here, I mean the galois group structure, the whole “quotient vs product” stuff he was doing trying to pretend LWE is a variant of ntru (and less secure, which was explicitly wrong), and his “spherical models” claims. These last ones included an explicit claim of subexponential attacks to be presented later, which have been delayed for a number of years now.

In short, his fearmongering over lattices, while persistent, has never been right. He’s pointed fingers at things we have not found issues with, and either backed sides in debates which ended up being less secure (NTRU vs LWE), or completely missed other things (say the sPIP attacks a decade ago). He may plausibly be the least credible person to make predictions about lattices in the world.

This is ignoring all of his other explicitly embarrassing behavior, for example

1. Insinuating all lattice cryptographers are on the payroll of the NSA. The winning schemes were European teams predominantly.

2. Adding a license to all emails he sends in the IETF wg that is incompatible with the wg. This ends up with him getting censure, which he then argues is unjust.

3. Recently, finding a bug in a 2017 piece of software, and then fabricating 3 other bugs. He then wrote a 60 page paper on it, using it as justification to argue against lattices. All of the bugs would be caught by standard high quality testing procedures, eg mutation testing, which he appears unfamiliar with. I believe the “actual” bug (from the v1 reference impl a decade ago) is caught by current test vectors as well.

[bux93]

That he backed PQ crypto that turned out to be broken later should be an argument in favor of hybrid (belts-and-suspender) schemes rather than against it. Embarassing behavior amounts to not much more than ad hominems. Hybrid KEMs are a good idea.

[mswphd]

I am pointing out a particular cryptographer's abysmal track record in understanding the security of PQ schemes to call into question their current criticisms of PQ schemes. They've always been (in my opinion obviously) fear-mongering in the past. None of this fear-mongering has been right. So I do not put particularly high weight on their current fear-mongering.

This is especially true because they often lie in their fear-mongering. For example, you appear to be a follower of Dan. You seem to think the argument against hybrids is an argument against hybrid KEMs. It's not. That is a lie. Even Dan's recent tirade on the TLS-WG mailing list has been against putting forward an informational RFC on ML-DSA, a (pure lattice) digital signature scheme.

Perhaps you misunderstood this, and Dan accurately described the setting he is fear-mongering over. Perhaps Dan misrepresented things again, as he has been doing for nearly a decade again. I don't particularly care either way. All that matters to me is accurate evaluation of our current options. It is exceedingly frustrating that a high-profile cryptographer seems incapable of doing this, either due to incompetence or malice.

[mswphd]

The controversy lately isn’t for encryption. We have a fine hybrid KEM, and it’s being standardized/deployed most places.

The issue instead is for signatures. We don’t have a fine hybrid signature. Concretely, our current hybrid signatures achieve security in a weaker model (they do not achieve BUFF security) than what our PQ signatures achieve.

So the question is if we want explicitly weaker security to provide assurance against possible security issues in the PQ hardness assumption. Or we could delay standardization longer while people search for better ways of making hybrid signatures. Both seem stupid, especially as obtaining cryptographically relevant quantum computers recently seems less like “if” than “when”. Note that when cryptographically relevant quantum computers appear, we will NEED to have a PQ secure component. The main “pro hybrid” cryptographer (Bernstein) has himself predicted classical (public key) cryptography will likely be broken by 2032. Things must transition now.

[some_furry]

> You use both a quantum-safe algorithm and a classical algorithm, encrypting your data twice and remaining secure if either one is broken.

No. Don't do that.

If you encrypt your data twice, and one of them is broken by a quantum computer, the adversary gets the plaintext anyway.

You want a Hybrid KEM, not encrypting twice. The nuance matters.

https://durumcrustulum.com/2024/02/24/how-to-hold-kems/

[insanitybit]

> If you encrypt your data twice, and one of them is broken by a quantum computer, the adversary gets the plaintext anyway.

Is the idea here that "you broke quantum and quantum breaks classical, therefor layering is pointless"?

[some_furry]

If you encrypt your data twice (taken very literally):

  c1 = E1(p, k1)
  c2 = E2(p, k2)

If we assume E1() is broken by a quantum computer, E2 doesn't matter to protect p.

What you do instead is to use multiple KEMs and combine them securely (see the blog post I linked) in such a way that the confidentiality of your shared secret (i.e., the key you actually use for encryption) is preserved if any of the underlying KEMs is unbroken.

  ss1, ct1 = KEM1(pk1)
  ss2, ct2 = KEM2(pk2)
  secret = Combiner(ss1, ss2, [ct1, [ct2]])

This in practice looks like a KDF based on a hash function where the component shared secrets (and, depending on the underlying KEM's binding properties, underlying ciphertexts too) are concatenated.

This is very different than merely "encrypt your data twice". You only encrypt your data once. The KEY YOU ENCRYPT WITH is, instead, the result of multiple asymmetric operations.

I cannot stress enough how different these proposition are. It's like suggesting someone swim downstream in electric current. The words might make logical sense to a non-expert, but it's utterly unsafe taken literally.

[3form]

It seems to me you assumed that the poster that replied to you meant encrypting in parallel, while it seems pretty clear to me what they meant was c = E1(E2(p, k2), k1).

[some_furry]

The thing is: Quantum computers don't break AES-GCM, ChaCha20-Poly1305, or any other modern authenticated cipher. Layering encryption or doing cipher cascades is pointless.

The thing a cryptography-relevant quantum computer does is break RSA and elliptic curve cryptography, so that the underlying key (k1 or k2) is recoverable from its corresponding public component.

Hybrid KEMs, such as mlkem768x25519 (a.k.a. X-Wing) is a simple abstraction with security proofs that does both classical (X25519 is elliptic curve) and post-quantum (ML-KEM-768 is lattice-based) cryptography and combines them securely into a single key agreement.

"Encrypt twice" is bad advice. Even if you get the same approximate security, you're giving up a lot of performance.

Encrypt once, but encrypt with a key you can be confident in the secrecy of.

[saltcured]

Are you saying that a "hybrid KEM" is different in theoretical risk from chaining two KEMs? The change of jargon from "encryption" to "KEM" doesn't mean anything to most people talking about this post-quantum risk. To the extent we know what KEM is, we think it is just encrypting the key used for the rest of the bulk encryption.

Whether or not people understand the nuance of encrypting the block cipher keys or encrypting the blocks themselves, I think we all mean to stack the two encryption methods for defense-in-depth protection. They intuit having to open two locks in series to get to the valuable stuff, not adding two different access paths that each suffice for access.

[mswphd]

both encrypting in parallel and encrypting in the second way you mentioned are bad ideas, and are far from being what is seriously being discussed when people talk about hybrid KEMs. Encrypting in parallel is explicitly IND-CPA insecure if one of the ciphers is broken. Your construction is IND-CPA secure, but quite inefficient, and would not fit into modern protocols.

If this was a typical cryptographic topic, this might be fine, and is how I would likely phrase things for an undergraduate cryptography course. Unfortunately, this is a topic that a certain cryptographer with a decently large public following has been spreading conspiracy theories (and slandering other cryptographers about) for a number of years now. So, discussions on this topic often come from a place where the audience is misinformed, and more care is required in grounding the discussing in what is actually being discussed/considered.

[insanitybit]

The idea would be:

    key = get_key()
    classic_key = derive_key(key, "domain-classic")
    qc_key = derive_key(key, "domain-qc")
    ciphertext_a = classic_encrypt(plaintext, classic_key)
    ciphertext_b = qc_encrypt(ciphertext_a, qc_key)

I think this is different from what you wrote but I can't really tell.

FWIW I am not advocating for "encrypt twice" at all, I'm just trying to understand.

[some_furry]

A better idea is to do this:

  # You kind of have to define this since most libraries don't have it
  def classic_kem(pk):
    [eph_sk, eph_pk] = classic_keygen()
    d = classic_shared_secret(eph_sk, pk)
    return hash(d + eph_pk + pk), eph_pk
  
  # Two pieces ...
  [ss1, ct1] = classic_kem(pk1)
  [ss2, ct2] = postquantum_kem(pk2)
  
  # ... combine into one:
  # note: for some KEMs, ct1 and/or ct2 can safely be omitted
  shared_secret = hash(ss1 + ss2 + ct1 + ct2)
  
  ciphertext = symmetric_encrypt(plaintext, shared_secret, context)
  send_to_other_party(
    ct1,
    ct2,
    ciphertext
  )

This sounds more complex, but I'm just filling in the details implied by your pseudocode and making it at least 2x as fast.

On the opposite side, their code looks like this:

  # I'm ignoring implicit vs explicit rejection for simplicity
  def classic_kem_decaps(ct, sk, pk):
    d = classic_shared_secret(ct, sk)
    return hash(d + ct + pk)

  ss1 = classic_kem_decaps(ct1, sk1, pk1)
  ss2 = postquantum_kem_decaps(ct2, sk2, pk2)
  shared_secret = hash(ss1, ss2, ct1, ct2)

  # raises an exception on decrypt failure (e.g., invalid auth tag)  
  plaintext = symmetric_decrypt(ciphertext, shared_secret, context)

If you mean "doing two different KEMs and then securely combining them", then just say that. "Hybrid KEM" is short enough and distinct from other verbage.

"Encrypt" means something specific, not just the vague use of cryptography.

[dwaite]

Trying to bridge this a bit since I'm closer to a layperson in this area.

Symmetric encryption does not need a quantum computer alternative, nor do we need a post quantum hashing algorithm. We may need larger keys and larger outputs from the existing algorithms, but that really depends on the level of paranoia.

It is the asymmetric keys that need post quantum replacement.

So I'm guessing the change to your proposed pseudocode you would have two derivation algorithms based on two input asymmetric keys - one post quantum and one classical. You would get from these two separate symmetric keys. You would then layer encryption using each of them, encrypting the cipher text output from the first with the second.

You can however just combine the two derived symmetric keys together to create a single symmetric key, and encrypt once. That is what hybrid algorithms propose.

[tardedmeme]

Why would you take the stupidest possible interpretation of that person's comment?