Re: [Cfrg] New draft on the transition from classical to post-quantum cryptography

"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 08 May 2017 00:18 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24255128854 for <cfrg@ietfa.amsl.com>; Sun, 7 May 2017 17:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYtjFbomRj2i for <cfrg@ietfa.amsl.com>; Sun, 7 May 2017 17:18:54 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5DA012702E for <cfrg@irtf.org>; Sun, 7 May 2017 17:18:53 -0700 (PDT)
Received: from [169.254.120.20] (142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v480IS0h011346 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 7 May 2017 17:18:29 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176] claimed to be [169.254.120.20]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: "Tams, Benjamin" <Benjamin.Tams@secunet.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Date: Sun, 07 May 2017 17:18:51 -0700
Message-ID: <9E0DFD44-3000-4E5B-BAE6-2EF74DB3EA4E@vpnc.org>
In-Reply-To: <78B0B91A8FEB2E43B20BCCE132613181399287CA@mail-essen-01.secunet.de>
References: <BAE7613D-D89C-4F19-8FA5-1D3BCC55DCCB@vpnc.org> <78B0B91A8FEB2E43B20BCCE132613181399287CA@mail-essen-01.secunet.de>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RMeiQ_keZp4z8SyfY3OZcZWay6k>
Subject: Re: [Cfrg] New draft on the transition from classical to post-quantum cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 00:18:55 -0000

On 4 May 2017, at 3:17, Tams, Benjamin wrote:

> thank you for producing the initial draft. I think such a document can 
> be very useful for
> the community and individual organizations for being taken into 
> account for properly managing
> risk in view of possible attacks by quantum computers.

Thanks

> I briefly read over the document.
>
> Here are some personal comments on the organization of the document.
>
> If the intention of the final document is to help people understand 
> when they have to make the
> transition  from classical to post-quantum cryptography, I would like 
> to propose to set the focus
> more on what an organization should consider for deciding whether or 
> not to go from classical to
> post-quantum cryptography. My very personal vision is to motivate the 
> reader to consider the
> following questions.
>
> 1. What if useful quantum computers arise in the short term (e.g. 0-10 
> years),
> middle term (eg. 10-15 years), or long term (e.g. 15-25 years)?
>
> 2. What if I use classical cryptography today, that can be broken
> by a quantum computer in the short, middle or long term?
>
> 3. When should I switch to post-quantum cryptography for digital 
> signatures, asymmetric
> encryption, or symmetric encryption?
>
> 4. Is my application worth for being attacked by someone who can use a 
> quantum
> computer? If it is, why? (This question is already addressed in 
> Section 5 of the draft).
>
> Essentially, I think the intention of the document should not be to 
> convince the reader to use
> or not to use post-quantum cryptography. It should rather leave it to 
> the reader to decide
> whether or not (and if to which extent) he considers it necessary to 
> apply post-quantum
> cryptography in his application.

That is certainly my intention.

> Anyway, if an organization's decision is to use post-quantum 
> cryptography (a decision that we
> should leave open), then the organization should be able to access a 
> specification suitable for
> implementation, timely. While CFRG may already specify documents for
> PQ-safe digital signatures, CFRG seems to hesitate to specify 
> something for  PQ-safe public
> key encryption. It is (not just) my opinion, that the need for PQ-safe 
> public key encryption
> is much higher, though less matured.

And I completely want to avoid any discussion of such a specification in 
this document; I consider "when you want to move to post-quantum" 
orthogonal to "at the time you move, here are your best options".

--Paul Hoffman