[Cfrg] Quantum Computing and Crypto Policies

"Dr. Pala" <director@openca.org> Mon, 11 April 2016 14:33 UTC

Return-Path: <director@openca.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DCBB12EF96 for <cfrg@ietfa.amsl.com>; Mon, 11 Apr 2016 07:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_NAME_DR=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id No-hZQo9uDkM for <cfrg@ietfa.amsl.com>; Mon, 11 Apr 2016 07:33:34 -0700 (PDT)
Received: from mail.katezarealty.com (cvps8815162906.hostwindsdns.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id D342D12EF95 for <cfrg@irtf.org>; Mon, 11 Apr 2016 07:33:33 -0700 (PDT)
Received: from iMassi.local (unknown [63.88.3.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id DE82837423E7 for <cfrg@irtf.org>; Mon, 11 Apr 2016 10:33:32 -0400 (EDT)
To: cfrg@irtf.org
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <570BB5BC.5000705@openca.org>
Date: Mon, 11 Apr 2016 10:33:32 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------090402000908030405070503"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/FXORaiXuiR5qRVi01IxktIKZzxE>
Subject: [Cfrg] Quantum Computing and Crypto Policies
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 14:33:35 -0000

Hi all,

At the CFRG meeting, I have appreciated the presentation about QC in the 
sense that inspired to think about the future in a more practical way 
(although there was probably not much agreement on how to proceed forward).

I have also been following the conversation about the post-quantum 
computing crypto resistance and I am trying to figure out - given what 
we know about possible quantum computing which, as Tim pointed out 
during the meeting, is still very little - what types of policies can be 
implemented today that would allow us to be a bit more resilient to 
attacks in the post quantum-computing environment (i.e., not being taken 
by surprise since deploying of new crypto can take several years in the 
real world despite the algorithm agility we have in current standards). 
I will try to summarize the two main points:

 1. Symmetric crypto is still relatively secure. Using 256bits keys
    (e.g., AES 256) should provide enough confidentiality for the time
    being (this is already a common practice in the industry as the
    overhead compared to 128bits is negligible) - so we are relatively
    safe here.
 2. Given the physical limitations when it comes to be able to have QC
    with high number of qbits, it seems that when it comes to Asymmetric
    crypto, ECDSA (given the limited number of bits and the
    impossibility to extend the number of bits without defining new
    curves) is the weakest choice compared to RSA with very long keys
    (e.g., 8K or 16K bits keys or even bigger...).

In other words, given this scenario and setting aside considerations 
about signature sizes (although, we have seen an increase in computing 
resources in terms of processing power, bandwidth, and storage it seems 
that signature size is a big concern - AFAIK, mostly driven by IoT and 
similar environments - even more than 10yrs ago! and many WGs are using 
the size argument over the security argument in their specifications and 
suggestions), the more flexible and forward-secure choice would be to 
start using "oversized" RSA keys for asymmetric and for symmetric we can 
keep using AES 256 with relative confidence (assuming, as I said, that 
no new quantum-specific algorithms are discovered...)

Does this summarizes the current situation? Are these (very simplistic) 
considerations correct? Anybody disagree with these statements? Why?

Cheers,
Max

-- 
Massimiliano Pala, PhD
Director at OpenCA Labs
twitter: @openca