Re: [Cfrg] likelihood that someone has a quantum computer (was: Re: considering new topics for CFRG)

Yoav Nir <> Mon, 13 January 2014 06:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 32C121ADF38 for <>; Sun, 12 Jan 2014 22:23:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.439
X-Spam-Status: No, score=-7.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XaqH0v2EcX2c for <>; Sun, 12 Jan 2014 22:23:33 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DD76A1ADF10 for <>; Sun, 12 Jan 2014 22:23:32 -0800 (PST)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id s0D6NHr2024998; Mon, 13 Jan 2014 08:23:17 +0200
X-CheckPoint: {52D380D6-1-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Mon, 13 Jan 2014 08:23:17 +0200
From: Yoav Nir <>
To: Watson Ladd <>
Thread-Topic: [Cfrg] likelihood that someone has a quantum computer (was: Re: considering new topics for CFRG)
Thread-Index: AQHPD5vC66bM43giJESvmGVpdVAAS5qB67+AgAAJNoCAABowgA==
Date: Mon, 13 Jan 2014 06:23:17 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [Cfrg] likelihood that someone has a quantum computer (was: Re: considering new topics for CFRG)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jan 2014 06:23:35 -0000

On Jan 13, 2014, at 6:49 AM, Watson Ladd <>

> On Sun, Jan 12, 2014 at 8:16 PM, William Whyte
> <> wrote:
>> Hi all,
>> Sorry again for top-posting, that's gmail for you.
>>> I would put it more positively as: let's figure out how to use
>>> post-quantum cryptography in practice, because if there is a breakthrough in
>>> quantum computing, the mad rush will be ugly.
>> As I mentioned in a previous mail, I think the best way to do this is to
>> figure out how to avoid depending on a single public key algorithm in any
>> context, because all public key algorithms are potentially vulnerable to
>> technological and algorithmic breakthroughs. So combining public key
>> algorithms seems like a prudent approach. I know there are Certicom patents
>> on this but it seems that this shouldn't be insuperable.
> But that depends on at least one algorithm being postquantum secure,
> and historically
> we've not had any real surprises in the public key world.
> Algorithms exist that do this, we just need to be ahead of the game in
> specifying them. I'll see if McBits is amenable to standardization. Worst
> case we wait for NTRU patents to expire, and adopt it. 

Just as a procedural note, we don't have to wait for any patents to expire. We can specify standards that use these patents, as long as those patents are disclosed. As in .

There is a general attitude in the IETF that standardizing patented technology is bad, because it discourages open source implementations, but with such old patents (they were issued in '97, no?) that is far less a concern.

When we do standardize patented technology, implementers have four choices:
 1. Get a license
 2. Decide that the patent is bogus, and fight it in court.
 3. Wait for the patent to expire.
 4. Ignore the technology.

All implementers have lawyers, and all implementers hate paying for IPR, so #1 and #2 hardly ever happen (with notable exceptions such as RSA years ago and some codecs).

Considering that we have no proof of any adversary having a quantum computer just yet, #3 and #4 are more likely, but that's a choice for implementers to make. We can lead a horse to water and all that.