Re: [Cfrg] New draft on the transition from classical to post-quantum cryptography

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 08 May 2017 14:20 UTC

Return-Path: <prvs=63014949d3=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C4612946E for <cfrg@ietfa.amsl.com>; Mon, 8 May 2017 07:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AeG4g0VuaG1J for <cfrg@ietfa.amsl.com>; Mon, 8 May 2017 07:20:54 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 7388A1294A2 for <cfrg@irtf.org>; Mon, 8 May 2017 07:20:54 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v48EKqtk009987; Mon, 8 May 2017 10:20:53 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] New draft on the transition from classical to post-quantum cryptography
Thread-Index: AQHSxFyloAd9nWKoNk2AcrmqPq9I+KHkOZmAgAWiEoCAANDSgIAAEN0A///GhAA=
Date: Mon, 8 May 2017 14:20:52 +0000
Message-ID: <8076F68B-F7B1-487B-86ED-B6DCFE93EBF2@ll.mit.edu>
References: <BAE7613D-D89C-4F19-8FA5-1D3BCC55DCCB@vpnc.org> <78B0B91A8FEB2E43B20BCCE132613181399287CA@mail-essen-01.secunet.de> <9E0DFD44-3000-4E5B-BAE6-2EF74DB3EA4E@vpnc.org> <0d785b8b616846e9aa0eda962d1aade5@usma1ex-dag1mb1.msg.corp.akamai.com> <48F06B9A-7ED4-4711-901C-AA17DD690BC6@vpnc.org>
In-Reply-To: <48F06B9A-7ED4-4711-901C-AA17DD690BC6@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.21.0.170409
x-originating-ip: [172.25.177.148]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3577083652_1194651243"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-08_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705080076
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FbG3_xr0bExwwkB0Yke_RCKR5Bg>
Subject: Re: [Cfrg] New draft on the transition from classical to post-quantum cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 14:20:58 -0000

On 5/8/17, 9:46 AM, "Cfrg on behalf of Paul Hoffman" <cfrg-bounces@irtf.org on behalf of paul.hoffman@vpnc.org> wrote:

    On 8 May 2017, at 5:46, Salz, Rich wrote:
    
    >> And I completely want to avoid any discussion of such a specification 
    >> in this
    >> document; I consider "when you want to move to post-quantum"
    >> orthogonal to "at the time you move, here are your best options".
    >
    > Well, it's not of course.  What you do when you move depends on what 
    > is available at that time and options are likely to improve as Science 
    > Marches Forward.
    
    Fair point. There is a subtlety in "when you want to move to 
    post-quantum" of "there is a post-quantum solution at the time that 
    meets your needs". 

Technically you both are correct, and the two issues (“when” and “to what”) are orthogonal. In practice however they lose much without one another. 

I understand that we may have a better idea now as to “when” over what “the best options” are likely to be “then” (so it’s easier to talk about “when”, even though both recommendations – not just “to what” but also “when” - may change as time advances).

I see the two as two parts of a single document, or as two closely related drafts, cross-referenced, and released together.


    My unstated assumption is that NIST and others around 
    the world will have standardized on some solutions before the readers of 
    this document (or a future version of it) feel the need to change. I'll 
    reflect that better in the next draft.

Wouldn’t you agree that for long-term documents (those that need to survive for 15+ - 20+ years from now) the “need to change” is now with a pretty high probability? Wouldn’t that break your assumption?
    
    > I also think when to move depends on what you're trying to do.

Yes. ;-)

For some applications the need appears to be “now”.