IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

"Paterson Kenneth" <kenny.paterson@inf.ethz.ch> Mon, 15 April 2019 21:02 UTC

Return-Path: <kenny.paterson@inf.ethz.ch>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF9F12041C for <cfrg@ietfa.amsl.com>; Mon, 15 Apr 2019 14:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaxYkxD7-3AK for <cfrg@ietfa.amsl.com>; Mon, 15 Apr 2019 14:02:33 -0700 (PDT)
Received: from edge10.ethz.ch (edge10.ethz.ch [82.130.75.186]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1196E1201F1 for <cfrg@irtf.org>; Mon, 15 Apr 2019 14:02:32 -0700 (PDT)
Received: from CAS11.d.ethz.ch (172.31.38.211) by edge10.ethz.ch (82.130.75.186) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 15 Apr 2019 23:01:16 +0200
Received: from MBX117.d.ethz.ch ([fe80::c1d4:d225:fabf:1974]) by CAS11.d.ethz.ch ([fe80::ecc9:4e2d:b26b:1614%10]) with mapi id 14.03.0439.000; Mon, 15 Apr 2019 23:01:17 +0200
From: Paterson Kenneth <kenny.paterson@inf.ethz.ch>
To: mcgrew <mcgrew@cisco.com>, Ruslan Kiyanchuk <ruslan.kiyanchuk@gmail.com>
CC: Björn Haase <bjoern.haase@endress.com>, CFRG <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Thread-Index: AQHU2YhQxvCTp0FpMUuBvsnYU8hpCKYKZlUAgAA63ACABtxrAIACXiwAgAwGegCAAD6YAP//creAgAEMZwCAAWPLAIAAENIAgATQZgCAAARKgIAAL2WAgAEVMb///15bAIACF2QAgBMhxu+AALELgIAAIGoAgAASOgCAAECbAA==
Date: Mon, 15 Apr 2019 21:01:16 +0000
Message-ID: <52F9C816-F479-4584-B2DA-FAB348A2A2D0@inf.ethz.ch>
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net> <B79CBA86-3C81-4973-84C2-7DAD7B659CB4@ericsson.com> <CADPMZDCHgsP6=ssJymeoq7RP1eshWf4zk+N9Cf1DY-fk+ntCgA@mail.gmail.com> <1554167337418.62603@cs.auckland.ac.nz> <1A5915E5-E50A-426E-B8F5-6CCCA47AB392@ll.mit.edu> <DB8PR05MB599359EAB383B467DBE6DDB283570@DB8PR05MB5993.eurprd05.prod.outlook.com> <1555299362578.89262@cs.auckland.ac.nz> <2C14A5F0-641D-4B5A-B455-A0B90B2DA371@ll.mit.edu> <CALwRki4_NLujn7VQsDN8auoz5Tw0x3J-OyiUmrN6MnQfZUQEyA@mail.gmail.com> <BA051BAF-09F2-445B-94F4-029476E45745@cisco.com>
In-Reply-To: <BA051BAF-09F2-445B-94F4-029476E45745@cisco.com>
Accept-Language: de-CH, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.132.139.41]
Content-Type: multipart/alternative; boundary="_000_52F9C816F4794584B2DAFAB348A2A2D0infethzch_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XNNf2MejzBqh8zUrzHFjyA11ST0>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 21:02:44 -0000

Hi,

I read that Nature paper at the time it appeared. It was not clear to me that they had actually factored any number larger than 143 using a D-wave machine. Certainly, the paper presents no experimental data beyond N=143 (for which case, see Figure 3, but with no data concerning success probabilities, numbers of experiments, etc).

So I sent the authors some basic questions about scaling and about details of their computations and experiments. (Naturally I first tried to establish my scientific credentials so as not to look like too much of a crank.)

I also asked the authors for data concerning the larger and more impressive numbers mentioned throughout the paper (e.g. 249919).

The authors did not provide this information, in contrast to the statement made towards the end of the paper concerning data availability:

“The data that support the plots within this paper and other findings of this study are available from the corresponding author upon reasonable request.”

Readers may draw their own conclusions from this.

Cheers,

Kenny

PS for those wondering, 143 = 13*11.

From: Cfrg <cfrg-bounces@irtf.org> on behalf of mcgrew <mcgrew@cisco.com>
Date: Monday, 15 April 2019 at 21:11
To: Ruslan Kiyanchuk <ruslan.kiyanchuk@gmail.com>
Cc: Björn Haase <bjoern.haase@endress.com>, CFRG <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Hi Ruslan,


On Apr 15, 2019, at 2:04 PM, Ruslan Kiyanchuk <ruslan.kiyanchuk@gmail.com<mailto:ruslan.kiyanchuk@gmail.com>> wrote:

@Uri, the link statement reads fishy. I am also not a professional quantum physicist, but my understanding was that D-Wave computers can only do quantum annealing, which makes them applicable to a very narrow set of quantum problems, and makes them unsuitable for running Shor's or Grover's algorithms, which are not quantum annealing problems. At least that's how it used to be couple of years ago. Did D-Wave broaden the scope of their computers recently?

It is not that D-Wave can run Shor’s algorithm, but rather that researchers are studying how an adiabatic quantum computer can be used for factoring.  See for instance "Quantum Annealing for Prime Factorization”, https://www.nature.com/articles/s41598-018-36058-z:
We have developed a framework to convert an arbitrary integer factorization problem to an executable Ising model by first writing it as an optimization function then transforming the k-bit coupling (k ≥ 3) terms to quadratic terms using ancillary variables. Our resource-efficient method uses O(log_2(N)) binary variables (qubits) for finding the factors of an integer N. We present how to factorize 15, 143, 59989, and 376289 using 4, 12, 59, and 94 logical qubits, respectively. This method was tested using the D-Wave 2000Q for finding an embedding and determining the prime factors for a given composite number.

David



On Mon, Apr 15, 2019 at 9:09 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu<mailto:uri@ll.mit.edu>> wrote:
While not a quantum physicist myself, I do think you are downplaying the risks:

https://www.insidequantumtechnology.com/news/new-hope-quantum-computers-factorizations-rsa-thousand-fold-excess/?utm_source=IQT+Daily+Newsletter&utm_campaign=a7528b4239-RSS_EMAIL_CAMPAIGN&utm_medium=email&utm_term=0_e8f238b4dd-a7528b4239-72197729

I understand Peter's point that unlike QC, attacks against implementations are really bad *now* (and probably will stay that way), but that's not an excuse to ignore the upcoming threat on the algorithmic level.
--
Regards,
Uri

On 4/14/2019, 23:37, "Peter Gutmann" <pgut001@cs.auckland.ac.nz<mailto:pgut001@cs.auckland.ac.nz>> wrote:

    Björn Haase <bjoern.haase@endress.com<mailto:bjoern.haase@endress.com>> writes:

    >Saying this, I think that it is important to have researchers working on PQ-
    >Crypto such that we have a solution "in the box", even if the actual
    >probability that we'd actually need it might be small..

    If it was researchers publishing via standard academic venues that'd be fine,
    the problem is that the CFRG is a de facto standards body so anything
    published will become an Internet standard.  At that point the yet-to-be-
    given-a-cool-name rule [0] which says that the best crypto is the latest
    trendiest bleeding-edge stuff and not the long-established stuff that we have
    a lot of experience with will kick in, and whatever PQC is written up will
    start being deployed and rushed into production before the RFC is even
    published.

    The end result will be the worst of both worlds, we'll have a bunch of PQC
    algorithms that work nothing like existing stuff so that people will be able
    revisit thirty years of mistakes in applying it, alongside the existing crypto
    that also needs to be supported.

    So standardising PQC at this point is hugely premature.  Leave it for academic
    conferences from which it can be pulled as required, but don't give
    implementers an excuse to re-make all the mistakes that have been made in the
    past with an entirely new set of algorithms.

    Peter.

    [0] Suggestions for a name welcome, currently "The Hipster Crypto Rule" but
        I'm not too happy with that.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email