Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies

David McGrew <> Mon, 11 April 2016 21:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0CBE012F2E8 for <>; Mon, 11 Apr 2016 14:35:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.516
X-Spam-Status: No, score=-15.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 15dnoR7NEvXa for <>; Mon, 11 Apr 2016 14:35:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 212A212F2D7 for <>; Mon, 11 Apr 2016 14:35:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=24648; q=dns/txt; s=iport; t=1460410530; x=1461620130; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=96nnzIWtPHy4x6qpwAmR7Wi3kMZCuF6lEo5w6jQE9nY=; b=bUEp2lvLAyMuYbNMcFSNxtskF8eliY4zlIFwQE7Rj3VdH9VM90Us3lKs DmaB5XBYH1PS4j6vgA71ZPe1P5OFx9dmDe64vMHjEhy3PICkdaiDXKBlj Bb/CJsC+9hzTL4M8hGBBje64Hui4XVy71jY25NRA3HOc0GVOe+qglCVsG U=;
X-IronPort-AV: E=Sophos; i="5.24,470,1454976000"; d="scan'208,217"; a="90649780"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Apr 2016 21:35:29 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u3BLZSXG026506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 Apr 2016 21:35:28 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_08B214B9-37AD-4670-B4BA-8A78CD4A3330"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: David McGrew <>
In-Reply-To: <>
Date: Mon, 11 Apr 2016 17:35:27 -0400
Message-Id: <>
References: <> <> <>
To: "Scott Fluhrer (sfluhrer)" <>, Grigory Marshalko <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Apr 2016 21:35:34 -0000

Hi Scott and Grigory,

> On Apr 11, 2016, at 5:02 PM, Scott Fluhrer (sfluhrer) <> wrote:
> These papers assume a very obscure attack model; where the attacker can generate a plaintext that is a superposition of several possible values, and have the device generate a ciphertext that is a superposition of the encryption of the various values. <> <>
> We assume that within a Quantum Computer, we somehow maintain coherence of the various quantum states; however this attack model asks that this coherency is not disrupted when the queries leave the Quantum Computer.  Realistically, it is hard to see how this could be implemented over a network.  Quantum Superposition is quite delicate; in fact, the main problem we have in building a Quantum Computer is how to maintain coherence over a nontrivial period of time – it would appear to be unlikely that the device under attack would be helpful enough to the attacker to go through that effort.
> Now, for totally public operations (hashing, public key encryption, signature verification, whitebox cryptography), these sorts of attacks are plausible (because someone with a Quantum Computer can perform them entirely within the Quantum Computer, and so go through the effort of maintaining coherence over the entire operation).  However, for attacking devices on the internet, well, it’s less interesting.

thanks for bringing these works into the discussion.  To add some more detail and emphasis to Scott’s point: the attack model in these works does not correspond to any current use of cryptography.  From <>:  "We consider here a much stronger model [than the quantum random oracle] in which, in addition to local quantum operations, an adversary is granted an access to a possibly remote cryptographic oracle in superposition of the inputs, and obtains the corresponding superposition of outputs.”   In other words, the results show that if you use a quantum computer to implement your secret-key crypto scheme, and then you let the attacker use your quantum computer, you can expect your scheme to be broken (if it is on the list of schemes they can attack).   

While this is a very interesting research result, the attack model is far from any current or anticipated use of secret-key cryptography, and thus it would be wrong to attempt to use these results to inform us in what sort of algorithms we should be using on the Internet.   



> From: Cfrg [] On Behalf Of Grigory Marshalko
> Sent: Monday, April 11, 2016 4:49 PM
> To: Dr. Pala;
> Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
> Not only described issues.
> Two recent papers also address the post-quantum security of block cipher modes and MACs.
> <>
> <>
> Regards,
> Grigory Marshalko,
> expert,
> Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)
> <>
> 11 апреля 2016 г., 17:33, "Dr. Pala" < <>> написал:
> Hi all,
> At the CFRG meeting, I have appreciated the presentation about QC in the sense that inspired to think about the future in a more practical way (although there was probably not much agreement on how to proceed forward).
> I have also been following the conversation about the post-quantum computing crypto resistance and I am trying to figure out - given what we know about possible quantum computing which, as Tim pointed out during the meeting, is still very little - what types of policies can be implemented today that would allow us to be a bit more resilient to attacks in the post quantum-computing environment (i.e., not being taken by surprise since deploying of new crypto can take several years in the real world despite the algorithm agility we have in current standards). I will try to summarize the two main points:
> Symmetric crypto is still relatively secure. Using 256bits keys (e.g., AES 256) should provide enough confidentiality for the time being (this is already a common practice in the industry as the overhead compared to 128bits is negligible) - so we are relatively safe here.
> Given the physical limitations when it comes to be able to have QC with high number of qbits, it seems that when it comes to Asymmetric crypto, ECDSA (given the limited number of bits and the impossibility to extend the number of bits without defining new curves) is the weakest choice compared to RSA with very long keys (e.g., 8K or 16K bits keys or even bigger...).
> In other words, given this scenario and setting aside considerations about signature sizes (although, we have seen an increase in computing resources in terms of processing power, bandwidth, and storage it seems that signature size is a big concern - AFAIK, mostly driven by IoT and similar environments - even more than 10yrs ago! and many WGs are using the size argument over the security argument in their specifications and suggestions), the more flexible and forward-secure choice would be to start using "oversized" RSA keys for asymmetric and for symmetric we can keep using AES 256 with relative confidence (assuming, as I said, that no new quantum-specific algorithms are discovered...)
> Does this summarizes the current situation? Are these (very simplistic) considerations correct? Anybody disagree with these statements? Why?
> Cheers,
> Max
> -- 
> Massimiliano Pala, PhD
> Director at OpenCA Labs
> twitter: @openca
> _______________________________________________
> Cfrg mailing list