IETF Logo Mail Archive

Re: [CFRG] CFRG and crypto-threatening quantum computers

Soatok Dreamseeker <soatok.dhole@gmail.com> Fri, 17 September 2021 22:16 UTC

Return-Path: <soatok.dhole@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02123A18AE for <cfrg@ietfa.amsl.com>; Fri, 17 Sep 2021 15:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yuaeZD6hvM2D for <cfrg@ietfa.amsl.com>; Fri, 17 Sep 2021 15:16:52 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F0C3A18A8 for <cfrg@ietf.org>; Fri, 17 Sep 2021 15:16:51 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id d6so17344064wrc.11 for <cfrg@ietf.org>; Fri, 17 Sep 2021 15:16:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TLMyZq7lnhUHJdp8rP7tXYZcZqIpJHsNWtTwPC3kcss=; b=USUOmtVWgqTBEWo0nukC81Gg363PVrFlsneDlGFQCBhAMVQByPIHJzV3MjWOlJBjtX V1+MNpmhOeukze8C8S5CPuRc17AFI/r2F97nl6xJ9Uau8AINdrQxt7e1tUeQbFLxDNqu DixMiKEC1ntZ0abECDaL602lRsUYscaqcJuEep9zJnLL7BifuZV7x9YNvNgg/gRZJ5hU mbRJy96nHYwhxKaF0xcEfOqjs94hVqDKhrMc2GwXJS2o6sFtgoy2Ct2hF+vjWVOvAAtp j7pXsmxus5ypjw2YB+rhrIM1aH9wx4xmDRsXwsy8+sStKhHqZ8vbU7E43+TezaGoSB/j ichw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TLMyZq7lnhUHJdp8rP7tXYZcZqIpJHsNWtTwPC3kcss=; b=4At15jUc1qKBaugfktLE9bRNSxXYEKyIFD5VAALV+fJiwoYf8ppHXO8b7wQhgDy8qw b+t/EkgOtvP1n7xW0GCUCsVoUPb1KuGJ3Cs8CNNDs5FbKt+5tqxEoTHKEe0dxPuTrVw7 AxE1t4NFRiqg6a9wdub7W7Z+tHegoKkfQy2IRwC5UIC8vIavJZ1rARriaWiulL6kr+vh QJvWrHWIi88zSbSOdTyoBI+8Ndl1Mz9EFyhXOmvF/MC0LC+rWQrXh5sqWJgcMVw/F9/w Pl9NJQHxxHJ3O/Z6i2RvWH1S6UUkNibFfpxkjtc+XnWkgBE22VYLpeCgkkPgPWBllATJ jl8Q==
X-Gm-Message-State: AOAM5338Z/vS2uKXdJfvU8N5W/jalCbd3DLdl7FM3zcEH+0ALfAGellT G5IubpgqS8wu1gzJ1x4MdywSsoXJ+XAC0TNaaE0=
X-Google-Smtp-Source: ABdhPJz/vIpr4zYLtHOhGr7d84JuuzKWLvszu+LGtvGjELqv5mnFwWsMb87wRZhzhzdcIiRWGDtzcj3Dg4TgvQuluLo=
X-Received: by 2002:a05:6000:154e:: with SMTP id 14mr1870016wry.53.1631917009814; Fri, 17 Sep 2021 15:16:49 -0700 (PDT)
MIME-Version: 1.0
References: <03b5ea0e-cf1a-8edf-d642-2fb4b2e458fd@htt-consult.com> <CACsn0ckZbA4=Xe+Lc1w5bc5os8Ekeh9q7AAxknknwrrBZ0R-KQ@mail.gmail.com> <E0D027B0-089E-4402-BD65-38ADEABC3351@ll.mit.edu> <CAEseHRoH941WndaQmL8F=4w6BLkfjCaxa8mKP14bjNUEz2MRfw@mail.gmail.com> <00DA2E69-D80A-4CA7-B744-97B30F237501@ll.mit.edu> <20210917184114.4gnz7g4dl7euf5po@kaon.local> <A3231C7A-6DA6-47A9-96B7-0A90339EFB7F@ll.mit.edu> <20210917215621.q675hgb77nlejshj@kaon.local>
In-Reply-To: <20210917215621.q675hgb77nlejshj@kaon.local>
From: Soatok Dreamseeker <soatok.dhole@gmail.com>
Date: Fri, 17 Sep 2021 18:16:38 -0400
Message-ID: <CAOvwWh2v3ovm=JNW_Z=EXSfYabH0sw5U_m-TkA6mSQy+-YHtNQ@mail.gmail.com>
To: "Riad S. Wahby" <rsw@jfet.org>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "<cfrg@ietf.org>" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac474305cc384903"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aOzXcdEiey4dzLSsXB77AO8AA9E>
Subject: Re: [CFRG] CFRG and crypto-threatening quantum computers
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2021 22:16:58 -0000

On Fri, Sep 17, 2021 at 5:57 PM Riad S. Wahby <rsw@jfet.org> wrote:

> Hello Uri,
>
> (Changed the subject line since we're pretty off-topic here.)
>
> It seems silly for us to go back and forth point-by-point, especially
> since most of our specific disagreements are minor and definitional.
>
>     (e.g., What does CFRG do? Depends who you ask. From a research
>     cryptographer's point of view the things we're documenting right
>     now---pairing-friendly curves, hashing to curves, etc.---are
>     roughly the same vintage as S/MIME!)
>
>     (e.g., is USG making new quantum-susceptible standards? Well,
>     should we count NIST's adding Ed25519 to FIPS-186?)
>
> The high-level question is whether CFRG should act as if it's all but
> certain that crypto-threatening quantum computers will exist in the
> next few years. I think no; reasonable people can certainly disagree.
> But let's try to avoid spitting contests. We will win by reaching
> consensus, not by saying the cleverest things.
>
> In that vein:
>
> "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> wrote:
> > >    This argument does not seem productive: essentially all cryptography
> > >    is based on hardness assumptions that have not been proved or
> disproved
> > >    (and, given our current knowledge, seem unlikely to be). If we
> accept
> > >    the above argument, the logical conclusion seems to be "disband
> CFRG".
> >
> > You equate "make new designs quantum-resistant" with "let's disband
> CFRG"??? Hmm...
>
> The argument was: "there is no way to prove or disprove convincingly
> this [security] concern", in the context of constructing crypto-threatening
> quantum computers, implies "make all new designs quantum-resistant."
>
> The point is, this doesn't go nearly far enough: "there is no way
> to prove or disprove convincingly this [security] concern", in the
> context of cryptography more broadly (and given prevailing beliefs
> vis-a-vis complexity theory), implies "give up".
>
> But we both agree that's absurd. So maybe we should rethink the premise
> here.
>
> Cheers,
>
> -=rsw
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


I'm agnostic to the threat of quantum computers. My stance is simply:
Design for the threat model you have, not the one you're worried about
having in 10 years. If you're worried about having to migrate to new
cryptography, ever, you should build versioning into whatever you're
building, so you can migrate when your threat model evolves. This is true
even if practical quantum computers somehow turn out to be impossible.

Thus, there's not much value in such speculation.

v2.23.0 | Report a Bug | By Email