IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

mcgrew <mcgrew@cisco.com> Mon, 15 April 2019 19:10 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D59B120141 for <cfrg@ietfa.amsl.com>; Mon, 15 Apr 2019 12:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5srVNLGMcQX for <cfrg@ietfa.amsl.com>; Mon, 15 Apr 2019 12:10:20 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40C081200D8 for <cfrg@irtf.org>; Mon, 15 Apr 2019 12:10:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12545; q=dns/txt; s=iport; t=1555355420; x=1556565020; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=ChZlZKTjimFWfwvueH/UzLe/l6Xigaw5thwujShF82A=; b=mSgzRgDyhAFedLUbBmxpvh0uwsVimQjidOYwxRmFSHe8Rwyp+86pYXA3 Ckjhgefk9bGjLDmFPp9m1Bmz7G8czCYrg1Gtjml62bO2smdK22hoyfPco RrFtiHKIhzL7DvHLm2dMaw5mQzGIhJPO328UbCD+Gf5BlaX7Z+yQQgP1K c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BeAADJ1bRc/4sNJK1mGgEBAQEBAgEBAQEHAgEBAQGBZYFiL2hSMigKhASTK4INiTmJFoYNgWcOAQEYAQeETQKGBCM4EwEDAQEKAQIBAm0cDIVKAQEBAwEBASFFBgsFCwsJDycDAgIhBh8RBg4FGgGDBwGBaQMNDw+oZIEvhDIBAwQDgQqCOA2CGwaBMooGgUQXgT9AgREnH4JMPoIaLhkBAxUDgRQBEgGDKTGCJgOLEYIVhFeHRIw7NgmCB4FQiBuEY4NJGpRzk1iJNIJ1AhEVgWYhZXFwFTsqAYJBPoFYF4NMhRSFWyMBATGOL4EiAYEgAQE
X-IronPort-AV: E=Sophos;i="5.60,354,1549929600"; d="scan'208,217";a="536721200"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Apr 2019 19:10:19 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x3FJAIs0012592 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 15 Apr 2019 19:10:19 GMT
Received: from rtp-mcgrew-nitro2.cisco.com (10.117.145.147) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 15 Apr 2019 14:10:17 -0500
From: mcgrew <mcgrew@cisco.com>
Message-ID: <BA051BAF-09F2-445B-94F4-029476E45745@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_01A5C086-E266-42E2-960B-11E9159BF673"
MIME-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Mon, 15 Apr 2019 15:10:02 -0400
In-Reply-To: <CALwRki4_NLujn7VQsDN8auoz5Tw0x3J-OyiUmrN6MnQfZUQEyA@mail.gmail.com>
CC: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Björn Haase <bjoern.haase@endress.com>, CFRG <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Ruslan Kiyanchuk <ruslan.kiyanchuk@gmail.com>
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <CAMCcN7RTQU=a+SYVkGUHZ4enOhkA9j9i6ivMRDUwb+aXPZ9hBg@mail.gmail.com> <7AE82BE8-768D-4B70-B7F1-EAF6894E428E@ll.mit.edu> <9CABDAD4-AAB7-46BF-BED7-6A917F828F11@inf.ethz.ch> <27F5D9B6-A44D-4A12-B81D-C4FB01052113@ll.mit.edu> <810C31990B57ED40B2062BA10D43FBF501DB4A31@XMB116CNC.rim.net> <B79CBA86-3C81-4973-84C2-7DAD7B659CB4@ericsson.com> <CADPMZDCHgsP6=ssJymeoq7RP1eshWf4zk+N9Cf1DY-fk+ntCgA@mail.gmail.com> <1554167337418.62603@cs.auckland.ac.nz> <1A5915E5-E50A-426E-B8F5-6CCCA47AB392@ll.mit.edu> <DB8PR05MB599359EAB383B467DBE6DDB283570@DB8PR05MB5993.eurprd05.prod.outlook.com> <1555299362578.89262@cs.auckland.ac.nz> <2C14A5F0-641D-4B5A-B455-A0B90B2DA371@ll.mit.edu> <CALwRki4_NLujn7VQsDN8auoz5Tw0x3J-OyiUmrN6MnQfZUQEyA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Originating-IP: [10.117.145.147]
X-ClientProxiedBy: xch-rcd-005.cisco.com (173.37.102.15) To XCH-ALN-004.cisco.com (173.36.7.14)
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oQHiW3p7l43iYhu3o--Jws-681k>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 19:10:23 -0000

Hi Ruslan,

> On Apr 15, 2019, at 2:04 PM, Ruslan Kiyanchuk <ruslan.kiyanchuk@gmail.com> wrote:
> 
> @Uri, the link statement reads fishy. I am also not a professional quantum physicist, but my understanding was that D-Wave computers can only do quantum annealing, which makes them applicable to a very narrow set of quantum problems, and makes them unsuitable for running Shor's or Grover's algorithms, which are not quantum annealing problems. At least that's how it used to be couple of years ago. Did D-Wave broaden the scope of their computers recently?

It is not that D-Wave can run Shor’s algorithm, but rather that researchers are studying how an adiabatic quantum computer can be used for factoring.  See for instance "Quantum Annealing for Prime Factorization”, https://www.nature.com/articles/s41598-018-36058-z:
We have developed a framework to convert an arbitrary integer factorization problem to an executable Ising model by first writing it as an optimization function then transforming the k-bit coupling (k ≥ 3) terms to quadratic terms using ancillary variables. Our resource-efficient method uses O(log_2(N)) binary variables (qubits) for finding the factors of an integer N. We present how to factorize 15, 143, 59989, and 376289 using 4, 12, 59, and 94 logical qubits, respectively. This method was tested using the D-Wave 2000Q for finding an embedding and determining the prime factors for a given composite number.  

David

> 
> On Mon, Apr 15, 2019 at 9:09 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
> While not a quantum physicist myself, I do think you are downplaying the risks:
> 
> https://www.insidequantumtechnology.com/news/new-hope-quantum-computers-factorizations-rsa-thousand-fold-excess/?utm_source=IQT+Daily+Newsletter&utm_campaign=a7528b4239-RSS_EMAIL_CAMPAIGN&utm_medium=email&utm_term=0_e8f238b4dd-a7528b4239-72197729 <https://www.insidequantumtechnology.com/news/new-hope-quantum-computers-factorizations-rsa-thousand-fold-excess/?utm_source=IQT+Daily+Newsletter&utm_campaign=a7528b4239-RSS_EMAIL_CAMPAIGN&utm_medium=email&utm_term=0_e8f238b4dd-a7528b4239-72197729> 
> 
> I understand Peter's point that unlike QC, attacks against implementations are really bad *now* (and probably will stay that way), but that's not an excuse to ignore the upcoming threat on the algorithmic level.
> --
> Regards,
> Uri 
> 
> On 4/14/2019, 23:37, "Peter Gutmann" <pgut001@cs.auckland.ac.nz <mailto:pgut001@cs.auckland.ac.nz>> wrote:
> 
>     Björn Haase <bjoern.haase@endress.com <mailto:bjoern.haase@endress.com>> writes:
> 
>     >Saying this, I think that it is important to have researchers working on PQ-
>     >Crypto such that we have a solution "in the box", even if the actual
>     >probability that we'd actually need it might be small..
> 
>     If it was researchers publishing via standard academic venues that'd be fine,
>     the problem is that the CFRG is a de facto standards body so anything
>     published will become an Internet standard.  At that point the yet-to-be-
>     given-a-cool-name rule [0] which says that the best crypto is the latest
>     trendiest bleeding-edge stuff and not the long-established stuff that we have
>     a lot of experience with will kick in, and whatever PQC is written up will
>     start being deployed and rushed into production before the RFC is even
>     published.
> 
>     The end result will be the worst of both worlds, we'll have a bunch of PQC
>     algorithms that work nothing like existing stuff so that people will be able
>     revisit thirty years of mistakes in applying it, alongside the existing crypto
>     that also needs to be supported.
> 
>     So standardising PQC at this point is hugely premature.  Leave it for academic
>     conferences from which it can be pulled as required, but don't give
>     implementers an excuse to re-make all the mistakes that have been made in the
>     past with an entirely new set of algorithms.
> 
>     Peter.
> 
>     [0] Suggestions for a name welcome, currently "The Hipster Crypto Rule" but
>         I'm not too happy with that.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email