Re: [Cfrg] likelihood that someone has a quantum computer (was: Re: considering new topics for CFRG)

William Whyte <wwhyte@securityinnovation.com> Mon, 13 January 2014 10:32 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C565E1ADFA9 for <cfrg@ietfa.amsl.com>; Mon, 13 Jan 2014 02:32:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.779
X-Spam-Level:
X-Spam-Status: No, score=-0.779 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_72=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YJuO7LiMR2GA for <cfrg@ietfa.amsl.com>; Mon, 13 Jan 2014 02:32:28 -0800 (PST)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id E24811ADF33 for <cfrg@irtf.org>; Mon, 13 Jan 2014 02:32:27 -0800 (PST)
Received: by mail-qc0-f170.google.com with SMTP id e9so6192612qcy.1 for <cfrg@irtf.org>; Mon, 13 Jan 2014 02:32:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=from:references:in-reply-to:mime-version:thread-index:date :message-id:subject:to:cc:content-type; bh=EWlcJju0T6UgMp+gaH54V69N1+EIpN/3wAWDRkqtzYQ=; b=Br6QxfDlwD63uc4ftG09ehyyiDiPLciD/8+yOFXPVPH6vz3sbZO0cYVhrJnKfmJjql ouT7ZfwkyvQE93Dh9NdqI+JfZZAjqyRBBsTck4HsLfKXcNI1agfAyA6Gpi0KJej+vCb/ sZk7n/nL32f3Zi7yt7gKjXMx65wzBT7je7ce0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:references:in-reply-to:mime-version :thread-index:date:message-id:subject:to:cc:content-type; bh=EWlcJju0T6UgMp+gaH54V69N1+EIpN/3wAWDRkqtzYQ=; b=NSFvPkTukBTTUcYpXyv8JEg6xSEy8sYe7EsIJZQe4tZDyfJZkcmu5Yk+J9+OdTZ2Za 5ihP0LBAX+5Xnsrd7Z6dUIkplxXOUTPArJ5D4w91tUf356etVIZkiD+AGNd9rgtOai6U cdNmjX5Fc9tEWjxcqfUVywik2jjVtYVApXg0H8ft9jsJSXdqpx3aZ1S4sJn9wCyyHscH FRkWkmY5d2IZzRMBdLx/2xXpZKDVZb75bZV3Tj17D1Pvt5P186FGQdtrT4Ccy8bX0h47 ZZ6WNuk3MTz1VQQZ39nuKlSTvH6Bjq0sXVTck+51rm+ez4+RnMUEoazL06mQ7Rdr99Tg T/mg==
X-Gm-Message-State: ALoCoQnMQ9lZXaE/HCMbmsv+D7sm1Kc9lzoicK+f0Zp1MPGr2RLBVWp3K9Qc/Wbb7l0qbLQUua5d
X-Received: by 10.49.14.131 with SMTP id p3mr11032189qec.50.1389609136533; Mon, 13 Jan 2014 02:32:16 -0800 (PST)
From: William Whyte <wwhyte@securityinnovation.com>
References: <52C755AA.70200@cisco.com> <33E0BF53-A331-4646-B080-FD4F6E13916E@ieca.com> <810C31990B57ED40B2062BA10D43FBF5C1BF54@XMB116CNC.rim.net> <52D29B10.4030401@cisco.com> <CACz1E9rsLRwqpA0fS2RNOcpsn7DMqaN=7dcJDQqEi8HDMKKonQ@mail.gmail.com> <CACsn0c=mYv7v3fGCHCe9D5w2j+gRWWsmoUA7NQ=AsczTMP1rDw@mail.gmail.com> <76A03B60-E798-4DBB-8E3B-1865CD2F8E14@checkpoint.com>
In-Reply-To: <76A03B60-E798-4DBB-8E3B-1865CD2F8E14@checkpoint.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ4x4958Z+19boV+tPFc44KqqvFgQKFSLs2AjIpROUCKyrZpgJv7XkgAVQx05MBj/VjiJjNT5cg
Date: Mon, 13 Jan 2014 05:32:15 -0500
Message-ID: <9be7a3ad1655efadcce3b1620d20b99e@mail.gmail.com>
To: Yoav Nir <ynir@checkpoint.com>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] likelihood that someone has a quantum computer (was: Re: considering new topics for CFRG)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 10:32:30 -0000

Hi Yoav,

> There is a general attitude in the IETF that standardizing patented
technology is bad, because it
> discourages open source implementations, but with such old patents (they
were issued in '97, no?)

The original NTRU patents were applied for in 1997, so expire in 2017.
There are a number of improvements which are also patented and expire
later.

Note that if the concern with patents is that they discourage open source
implementations, the NTRU patents are free to implement under GPL and a
number of other FOSS licenses, and this grant of rights to use the patents
is permanent and irrevocable.

https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/LICENSE.m
d
https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/FOSS%20Ex
ception.md

Cheers,

William


-----Original Message-----
From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Yoav Nir
Sent: Monday, January 13, 2014 1:23 AM
To: Watson Ladd
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] likelihood that someone has a quantum computer (was:
Re: considering new topics for CFRG)


On Jan 13, 2014, at 6:49 AM, Watson Ladd <watsonbladd@gmail.com>;
 wrote:

> On Sun, Jan 12, 2014 at 8:16 PM, William Whyte
> <wwhyte@securityinnovation.com>; wrote:
>> Hi all,
>>
>> Sorry again for top-posting, that's gmail for you.
>>
>>> I would put it more positively as: let's figure out how to use
>>> post-quantum cryptography in practice, because if there is a
>>> breakthrough in quantum computing, the mad rush will be ugly.
>>
>> As I mentioned in a previous mail, I think the best way to do this is
>> to figure out how to avoid depending on a single public key algorithm
>> in any context, because all public key algorithms are potentially
>> vulnerable to technological and algorithmic breakthroughs. So
>> combining public key algorithms seems like a prudent approach. I know
>> there are Certicom patents on this but it seems that this shouldn't be
insuperable.
>
> But that depends on at least one algorithm being postquantum secure,
> and historically we've not had any real surprises in the public key
> world.
> Algorithms exist that do this, we just need to be ahead of the game in
> specifying them. I'll see if McBits is amenable to standardization.
> Worst case we wait for NTRU patents to expire, and adopt it.

Just as a procedural note, we don't have to wait for any patents to
expire. We can specify standards that use these patents, as long as those
patents are disclosed. As in https://ietf.org/ipr/231/ .

There is a general attitude in the IETF that standardizing patented
technology is bad, because it discourages open source implementations, but
with such old patents (they were issued in '97, no?) that is far less a
concern.

When we do standardize patented technology, implementers have four
choices:
 1. Get a license
 2. Decide that the patent is bogus, and fight it in court.
 3. Wait for the patent to expire.
 4. Ignore the technology.

All implementers have lawyers, and all implementers hate paying for IPR,
so #1 and #2 hardly ever happen (with notable exceptions such as RSA years
ago and some codecs).

Considering that we have no proof of any adversary having a quantum
computer just yet, #3 and #4 are more likely, but that's a choice for
implementers to make. We can lead a horse to water and all that.

Yoav


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg