Re: [Cfrg] New draft on the transition from classical to post-quantum cryptography

Hugo Krawczyk <> Thu, 11 May 2017 04:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2A1CB1293E0 for <>; Wed, 10 May 2017 21:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2b8LVACEBP-M for <>; Wed, 10 May 2017 21:02:32 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C72AD1200FC for <>; Wed, 10 May 2017 21:02:32 -0700 (PDT)
Received: by with SMTP id l135so7112839ywb.2 for <>; Wed, 10 May 2017 21:02:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=X13SZx/hsTSJ4dSpPobBvCIf6HvU8GJj4OzHe85ZHo8=; b=Bwpp3oPsUYxqi5jntnuWzbY8g8Tjk2hKIB9lHTZDCw7/5AkQESBXYvIaq6qr0ebQNG EOHjYRUJ8sKmqA1W+dkmezFWpy5IAV48PWLyFHRHZedOilYYD3w9d1g/cwpu5ZdDpJG8 GPH0IeE7z/9RUxnMqcSpU9BTxCZVKTPrUJFsH/GRKS2TVrUwBxWdjyJCWVCx17EF0AcA d+DFhRR3ITfKHYop0Z8/S5qzC4tJFt8Svk899JNbqEdH4Y/6jWQtPUtx9rkPPbd+b1Zt PUCttaUiBdVHlfhNdEwgCk0sbStN+oU93Ho0X0umC5bPeJRIucBDFJ4dBLUIy3NEoaMk lsSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=X13SZx/hsTSJ4dSpPobBvCIf6HvU8GJj4OzHe85ZHo8=; b=GdmKAsf3C3dp11Y+lHLEgFFFI43UKjwLEDsIjgD3l52QlNeNEVppxbi+569IJ4o9RJ LgdTuUPBGgzF/x2rpjtIBNxCvSyBM2o5LwXraDFJQbyJFXa3CY6irrWiTE9/ZkzVdzmG cKGsKhmMcNYCOAjUKo/bVbsPaFu1686dRLGR3EsbbVr0SjUVwh4rgE7S4X4TV3YDFH2B 5p2oQZohjwYGIUENgFczoGIYYyMWEWwuR+/qZNZsESVYP/jRomVBLhHier7hNO611Z7V XeSjW6xmClaWsSDfrk9GhcWkMuwQz8PhBjTg0nO0LahywLkDeI69LfLK4tTFfFzvPeVp mDjg==
X-Gm-Message-State: AODbwcAjDugfG6cnHdacC5Mc8QBiXoRFEGfNTad1L2Pm2iX5ahvN3xfd u9xB3aIxPGmioZUyuooRPzfWgt95ig==
X-Received: by with SMTP id u62mr7851998ywa.174.1494475351886; Wed, 10 May 2017 21:02:31 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 10 May 2017 21:02:01 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Hugo Krawczyk <>
Date: Thu, 11 May 2017 00:02:01 -0400
X-Google-Sender-Auth: vTO5Cx8xhtl9hd8FuFfkBVqe-Qc
Message-ID: <>
To: Stephen Farrell <>
Cc: Russ Housley <>, Uri Blumenthal <>, Paul Hoffman <>, IRTF CFRG <>
Content-Type: multipart/alternative; boundary="001a114d72b479927c054f37a87e"
Archived-At: <>
Subject: Re: [Cfrg] New draft on the transition from classical to post-quantum cryptography
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 May 2017 04:02:35 -0000

I want to highlight the importance of the post-quantum work regardless of
the post-quantum prospects, namely, independently of the predictions and
feasibility of constructing Shor-grade quantum computers.

People claim that we need to move to quantum-resistant crypto now (or in
the near future) since there is information created now that needs to stay
secret for 30-50 (even 100) years. My strong recommendation for such
applications is to NOT use public key (PK) encryption or PK-based online
key exchange to generate encryption keys for this data. Rather exchange
keys offline and onion-encrypt with several symmetric ciphers and
over-sized keys (twice the security parameter).

This recommendation is *independent* of the prospects of quantum
computation (QC) reaching the point in which it can break PK cryptosystems.
It is rather based on the precarious standing of all our public key
algorithms and their potential vulnerabilities to *classical*

Is the probability of ECC and/or RSA being broken by mathematical
cryptanalysis higher or lower than the probability of these systems being
broken by QC in x years?  I don't know. But I do know that while a powerful
quantum computer will not be built overnight, a devastating mathematical
break (of EC or RSA cryptography) could happen in the middle of the night.
All you need is one bright person dreaming the right idea.

So what I am saying is that we need to thank QC for drawing attention to
the need to diversify our algorithms, to build our protocols with algorithm
agility and negotiation, to invest serious funding in researching new
public key mechanisms, particularly in the area of lattice-based
cryptography (where many other benefits are likely to arise), and to make
us all think about how to *really* ensure long-term secrecy. We should have
done all of this without the threat of powerful quantum computers, but
without it we wouldn't have had the attention and funding we now have to
address these most important problems.

So, thanks QC! You are already making our systems more durably secure! Now,
let's not allow the speculations surrounding the feasibility and timing of
QC distract us from the really important task of diversifying PK
Cryptography.  Keep the attention, focus and funding coming.