Re: [Cfrg] A terminology issue with "post-quantum cryptography"
Andre Brisson <abrisson@wnlabs.com> Fri, 18 August 2017 16:43 UTC
Return-Path: <abrisson@wnlabs.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B274A132A08 for <cfrg@ietfa.amsl.com>; Fri, 18 Aug 2017 09:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Level:
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4w8lDRT5hBd for <cfrg@ietfa.amsl.com>; Fri, 18 Aug 2017 09:43:48 -0700 (PDT)
Received: from exchange.robsoninc.com (ex-g3-cashub01.yourhostingbrand.com [204.244.181.229]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91355132A01 for <cfrg@irtf.org>; Fri, 18 Aug 2017 09:43:48 -0700 (PDT)
Received: from EX-G3-MBX02.hosting.local ([fe80::e170:8488:6617:f969]) by ex-g3-cashub01.hosting.local ([172.16.0.71]) with mapi id 14.03.0361.001; Fri, 18 Aug 2017 09:45:20 -0700
From: Andre Brisson <abrisson@wnlabs.com>
To: Dan Brown <danibrown@blackberry.com>, "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A terminology issue with "post-quantum cryptography"
Thread-Index: AQHTFrjlYTwQzQbzSEaiw4aerLAloKKIvayQgAGSfGA=
Date: Fri, 18 Aug 2017 16:42:59 +0000
Message-ID: <D038A273DEC97649BB60309DE259B8800176C337A1@ex-g3-mbx02.hosting.local>
References: <AE20453A-163A-45DA-ACCD-56726AA3E316@gmail.com> <DB577FA0-AD0F-40F8-9A2A-9CA55D9D9CC5@cisco.com> <CAN40gStALAecOpuPBDdAM8T6a0EHr0Bo3xBvzO=zgQ2qK3DGmw@mail.gmail.com> <CAJU8_nXSi_8XpvAYm8yBy7gDwUuRw4F6VLTqjcp-5ueDiXuWYQ@mail.gmail.com> <5397C02D-A4C5-47CD-9383-E47D3262D8C4@icann.org> <20170817124313.2037.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF501B925F4@XMB116CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF501B925F4@XMB116CNC.rim.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.180.128.17]
Content-Type: multipart/alternative; boundary="_000_D038A273DEC97649BB60309DE259B8800176C337A1exg3mbx02host_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/pUEIq_7j63bh1F2HIgWMsnPkwKc>
Subject: Re: [Cfrg] A terminology issue with "post-quantum cryptography"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 16:43:51 -0000
The assertion highlighted in yellow is interesting. The IEEE is publishing papers concerning the factoring topic and the utility was demonstrated at a ATC IEEE Trusted Computing workshop in Silicon Valley August 4. It has been around a while. It is being demonstrated at the Hague during another conference particularly to NATO and Europol in October. Before knee jerk comments it is recommended that you build and test it. Scientific method and informed comments are always good. It is simple enough to build. It is also simple to request a copy of the utility if you can be permitted under regulatory regime. AB http://www.wnlabs.com/news/ECC-is-easier-to-break.php http://www.wnlabs.com/pdf/IEEE-ATC-R-CyberTrust-27.pdf This informs engineers or beginner computer scientists how to build utility. http://www.wnlabs.com/news/IEEE_copyright_WN_papers.php -----Original Message----- From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Dan Brown Sent: Friday, August 18, 2017 9:03 AM To: D. J. Bernstein; cfrg@irtf.org Subject: Re: [Cfrg] A terminology issue with "post-quantum cryptography" How about quantum-prudent or quantum-cautious cryptography? /* I'm not a PQC researcher, so please feel free to ignore my $0.02. Finding (brief) terminology for this topic seems difficult, mainly because of the extra conjectures and timing (see below). But it is only terminology, so it is probably okay just to stick to a tradition, or okay to churn it up, or be imperfect. There is a need (see below) for distinct terminology for task and the tool. For example, McEliece (the tool) is (reasonably) conjectured to provide quantum-resistance (the task). Postquantum crypto could a help as a noun for a generic tool (conjectured to be quantum-resistant). There seems some value in specificity. For example, ECC is rarely called post-factoring or sieving-resistant ,etc. (to address the non-zero risk of a faster classical-computer factoring or sieving algorithm), partly because that's not specific to ECC. There is a need for quantum-resistance because of a non-negligible risk of quantum computer. But it is bad if pushes towards this need seem to imply dropping ECC, because that would trade one risk for another. Terms like postquantum and quantum-resistant do little to remind us that a quantum computer is only conjectural (questionable), so these terms must often be accompanied by further clarifications and explanations (e.g., don't drop ECC). Supplementing ECC or RSA with some kind of conjecturally quantum-resistant proposal pre-emptively is often justified (the cost is worth addressing the risk), but calling this "postquantum" does not go far enough to encourage this practice (because post suggests waiting) or clarify the timing (recall how NIST called forward secrecy backtracking resistance.) Shor's algorithm makes it a certainty that a large-enough quantum computer would break RSA and ECC. Confusing that certainty with various PQC proposals being quantum-resistant is inaccurate. In this regard, the leading terms postquantum and quantum-resistant overstate the case (as do quantum-prudent and quantum-cautious). To this end, I tried to think up a short name more specific to Shor's algorithm, but only came up with silly jokes, such as shor-ward-secure, or vague techno terms like no-hidden-group. (This strategy also completely ignores the symmetric key case and Grover's algorithm, but that situation is simpler.) */ _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] A terminology issue with "post-quantum cry… Paul Hoffman
- Re: [Cfrg] A terminology issue with "post-quantum… Kyle Rose
- Re: [Cfrg] A terminology issue with "post-quantum… Ira McDonald
- Re: [Cfrg] A terminology issue with "post-quantum… David McGrew (mcgrew)
- Re: [Cfrg] A terminology issue with "post-quantum… Jon Hudson
- Re: [Cfrg] A terminology issue with "post-quantum… D. J. Bernstein
- Re: [Cfrg] A terminology issue with "post-quantum… vsoukhar
- Re: [Cfrg] A terminology issue with "post-quantum… Dearlove, Christopher (UK)
- Re: [Cfrg] A terminology issue with "post-quantum… Dearlove, Christopher (UK)
- Re: [Cfrg] A terminology issue with "post-quantum… Dan Brown
- Re: [Cfrg] A terminology issue with "post-quantum… Andre Brisson