Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies

"Scott Fluhrer (sfluhrer)" <> Mon, 11 April 2016 21:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1403312DF69 for <>; Mon, 11 Apr 2016 14:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.516
X-Spam-Status: No, score=-15.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TlSMmdSUDZOC for <>; Mon, 11 Apr 2016 14:02:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB38112DF1E for <>; Mon, 11 Apr 2016 14:02:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=20718; q=dns/txt; s=iport; t=1460408524; x=1461618124; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=Ic/P0hzO4JKT4uowwwIj0iDE0khZU47GYFIpKR9xA/E=; b=hhwpe6V6EvlD2IaupCtRL2rXIGSnvrY7KSZfOJAemvtZHYTAc3E0Wc79 0Orl3m+3RbqnJv14sJ5qItGlsDsjUC60cRFFbrQHpWi5Ech31Ngkiih90 5L+em9pvEpVIKzoDMY7vlqxLb/pLt/kw6se8lPsMZ5hPT8/uRmYcF7NNk s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.24,470,1454976000"; d="scan'208,217"; a="95278773"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Apr 2016 21:02:03 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u3BL23Ef029074 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Apr 2016 21:02:03 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 11 Apr 2016 17:02:02 -0400
Received: from ([]) by ([]) with mapi id 15.00.1104.009; Mon, 11 Apr 2016 17:02:02 -0400
From: "Scott Fluhrer (sfluhrer)" <>
To: Grigory Marshalko <>, "Dr. Pala" <>, "" <>
Thread-Topic: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
Thread-Index: AQHRlDOQCZn1/g8DvkWjYwrzs7h/xJ+FPutw
Date: Mon, 11 Apr 2016 21:02:02 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_9b3261feb368462a87e6772b1740d9ecXCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Apr 2016 21:02:08 -0000

These papers assume a very obscure attack model; where the attacker can generate a plaintext that is a superposition of several possible values, and have the device generate a ciphertext that is a superposition of the encryption of the various values.

We assume that within a Quantum Computer, we somehow maintain coherence of the various quantum states; however this attack model asks that this coherency is not disrupted when the queries leave the Quantum Computer.  Realistically, it is hard to see how this could be implemented over a network.  Quantum Superposition is quite delicate; in fact, the main problem we have in building a Quantum Computer is how to maintain coherence over a nontrivial period of time – it would appear to be unlikely that the device under attack would be helpful enough to the attacker to go through that effort.

Now, for totally public operations (hashing, public key encryption, signature verification, whitebox cryptography), these sorts of attacks are plausible (because someone with a Quantum Computer can perform them entirely within the Quantum Computer, and so go through the effort of maintaining coherence over the entire operation).  However, for attacking devices on the internet, well, it’s less interesting.

From: Cfrg [] On Behalf Of Grigory Marshalko
Sent: Monday, April 11, 2016 4:49 PM
To: Dr. Pala;
Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies

Not only described issues.
Two recent papers also address the post-quantum security of block cipher modes and MACs.
Grigory Marshalko,
Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)<>

11 апреля 2016 г., 17:33, "Dr. Pala" <<>> написал:
Hi all,

At the CFRG meeting, I have appreciated the presentation about QC in the sense that inspired to think about the future in a more practical way (although there was probably not much agreement on how to proceed forward).

I have also been following the conversation about the post-quantum computing crypto resistance and I am trying to figure out - given what we know about possible quantum computing which, as Tim pointed out during the meeting, is still very little - what types of policies can be implemented today that would allow us to be a bit more resilient to attacks in the post quantum-computing environment (i.e., not being taken by surprise since deploying of new crypto can take several years in the real world despite the algorithm agility we have in current standards). I will try to summarize the two main points:

  1.  Symmetric crypto is still relatively secure. Using 256bits keys (e.g., AES 256) should provide enough confidentiality for the time being (this is already a common practice in the industry as the overhead compared to 128bits is negligible) - so we are relatively safe here.
  2.  Given the physical limitations when it comes to be able to have QC with high number of qbits, it seems that when it comes to Asymmetric crypto, ECDSA (given the limited number of bits and the impossibility to extend the number of bits without defining new curves) is the weakest choice compared to RSA with very long keys (e.g., 8K or 16K bits keys or even bigger...).

In other words, given this scenario and setting aside considerations about signature sizes (although, we have seen an increase in computing resources in terms of processing power, bandwidth, and storage it seems that signature size is a big concern - AFAIK, mostly driven by IoT and similar environments - even more than 10yrs ago! and many WGs are using the size argument over the security argument in their specifications and suggestions), the more flexible and forward-secure choice would be to start using "oversized" RSA keys for asymmetric and for symmetric we can keep using AES 256 with relative confidence (assuming, as I said, that no new quantum-specific algorithms are discovered...)

Does this summarizes the current situation? Are these (very simplistic) considerations correct? Anybody disagree with these statements? Why?



Massimiliano Pala, PhD

Director at OpenCA Labs

twitter: @openca