Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies

"Grigory Marshalko" <marshalko_gb@tc26.ru> Tue, 12 April 2016 09:28 UTC

Return-Path: <marshalko_gb@tc26.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D36212EAC5 for <cfrg@ietfa.amsl.com>; Tue, 12 Apr 2016 02:28:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.996
X-Spam-Level:
X-Spam-Status: No, score=-2.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tc26.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xA0iDOTwCo8V for <cfrg@ietfa.amsl.com>; Tue, 12 Apr 2016 02:28:12 -0700 (PDT)
Received: from mail.tc26.ru (mail.tc26.ru [188.40.163.82]) by ietfa.amsl.com (Postfix) with ESMTP id 6E0B712EABB for <cfrg@irtf.org>; Tue, 12 Apr 2016 02:28:12 -0700 (PDT)
Received: from mail.tc26.ru (localhost [127.0.0.1]) by mail.tc26.ru (Postfix) with ESMTPSA id A2E2D300322; Tue, 12 Apr 2016 12:28:10 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tc26.ru A2E2D300322
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tc26.ru; s=mx; t=1460453291; bh=8HBcb4ZG3sj+4JnU4ZhijfEt6GPDEkgbi4OPFpfAy28=; h=Date:From:Subject:To:Cc:In-Reply-To:References:From; b=W4uZ5lwu+Sm2K3qiBBjrS6PgKKN/LK236jHvM7ymDcVFNOB3sLb7DPayVSYJjY1bJ 1jflO8B6yuoTsh3VUDoV4ZWu6LJNMp7ALSgQiGojc40FHtawwlDEH+OcolT5Jwivth PAnS0CS23OdmoxRA0NdM3UHu7LIprYLVYJOg+x7E=
Mime-Version: 1.0
Date: Tue, 12 Apr 2016 09:28:10 +0000
Content-Type: multipart/alternative; boundary="--=_RainLoop_448_322431678.1460453290"
Message-ID: <e1a6688b01105e754dbbfae0adf091b4@mail.tc26.ru>
X-Mailer: RainLoop/1.9.3.365
From: Grigory Marshalko <marshalko_gb@tc26.ru>
To: David McGrew <mcgrew@cisco.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
In-Reply-To: <7348154A-6DDD-4737-8FBC-D18A4FBF21A5@cisco.com>
References: <7348154A-6DDD-4737-8FBC-D18A4FBF21A5@cisco.com> <570BB5BC.5000705@openca.org> <f8895481ad3bcfa9617392a6903547b8@mail.tc26.ru> <9b3261feb368462a87e6772b1740d9ec@XCH-RTP-006.cisco.com>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 94519 [Apr 12 2016]
X-KLMS-AntiSpam-Version: 5.5.9.33
X-KLMS-AntiSpam-Envelope-From: marshalko_gb@tc26.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 4068408, 4068438, 4067474
X-KLMS-AntiSpam-Info: LuaCore: 419 419 24d92320b28ecafcc7e43d1a024ab7fa6f09466f, 127.0.0.200:7.1.3; mail.tc26.ru:7.1.1; eprint.iacr.org:7.1.1; www.tc26.ru:7.1.1; www.irtf.org:7.1.1; arxiv.org:4.0.4,7.1.1; d41d8cd98f00b204e9800998ecf8427e.com:7.1.1; 127.0.0.199:7.1.2; tc26.ru:7.1.1, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2016/04/11 08:42:06
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2016/04/11 19:38:00 #7480646
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/qBaVgiwibxITKF8EhNbbuPQ0ewo>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 09:28:15 -0000

Hi David and Scott,

I completely agree with you, nevertheless I suppose It should be usefull at least to keep this pubs in mind as a possible new trend of research

Regards,
Grigory Marshalko,
expert,
Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)
www.tc26.ru

12 апреля 2016 г., 00:35, "David McGrew"  написал:
Hi Scott and Grigory,
 
 
On Apr 11, 2016, at 5:02 PM, Scott Fluhrer (sfluhrer)  wrote: 
These papers assume a very obscure attack model; where the attacker can generate a plaintext that is a superposition of several possible values, and have the device generate a ciphertext that is a superposition of the encryption of the various values. 
	 We assume that within a Quantum Computer, we somehow maintain coherence of the various quantum states; however this attack model asks that this coherency is not disrupted when the queries leave the Quantum Computer.  Realistically, it is hard to see how this could be implemented over a network.  Quantum Superposition is quite delicate; in fact, the main problem we have in building a Quantum Computer is how to maintain coherence over a nontrivial period of time – it would appear to be unlikely that the device under attack would be helpful enough to the attacker to go through that effort.

	 Now, for totally public operations (hashing, public key encryption, signature verification, whitebox cryptography), these sorts of attacks are plausible (because someone with a Quantum Computer can perform them entirely within the Quantum Computer, and so go through the effort of maintaining coherence over the entire operation).  However, for attacking devices on the internet, well, it’s less interesting.
thanks for bringing these works into the discussion.  To add some more detail and emphasis to Scott’s point: the attack model in these works does not correspond to any current use of cryptography.  From http://arxiv.org/pdf/1602.05973.pdf (http://arxiv.org/pdf/1602.05973.pdf):  "We consider here a much stronger model [than the quantum random oracle] in which, in addition to local quantum operations, an adversary is granted an access to a possibly remote cryptographic oracle in superposition of the inputs, and obtains the corresponding superposition of outputs.”   In other words, the results show that if you use a quantum computer to implement your secret-key crypto scheme, and then you let the attacker use your quantum computer, you can expect your scheme to be broken (if it is on the list of schemes they can attack).   

While this is a very interesting research result, the attack model is far from any current or anticipated use of secret-key cryptography, and thus it would be wrong to attempt to use these results to inform us in what sort of algorithms we should be using on the Internet.   

best

David 
 
	 
From: Cfrg [mailto:cfrg-bounces@irtf.org (mailto:cfrg-bounces@irtf.org)] On Behalf Of Grigory Marshalko
Sent: Monday, April 11, 2016 4:49 PM
To: Dr. Pala; cfrg@irtf.org (mailto:cfrg@irtf.org)
Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
Not only described issues.
Two recent papers also address the post-quantum security of block cipher modes and MACs.
http://arxiv.org/pdf/1602.05973.pdf (http://arxiv.org/pdf/1602.05973.pdf)
https://eprint.iacr.org/2016/197.pdf (https://eprint.iacr.org/2016/197.pdf)
Regards,
Grigory Marshalko,
expert,
Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)
www.tc26.ru (http://www.tc26.ru/)

11 апреля 2016 г., 17:33, "Dr. Pala"  написал:

Hi all,

At the CFRG meeting, I have appreciated the presentation about QC in the sense that inspired to think about the future in a more practical way (although there was probably not much agreement on how to proceed forward).

I have also been following the conversation about the post-quantum computing crypto resistance and I am trying to figure out - given what we know about possible quantum computing which, as Tim pointed out during the meeting, is still very little - what types of policies can be implemented today that would allow us to be a bit more resilient to attacks in the post quantum-computing environment (i.e., not being taken by surprise since deploying of new crypto can take several years in the real world despite the algorithm agility we have in current standards). I will try to summarize the two main points:
	* Symmetric crypto is still relatively secure. Using 256bits keys (e.g., AES 256) should provide enough confidentiality for the time being (this is already a common practice in the industry as the overhead compared to 128bits is negligible) - so we are relatively safe here.
	* Given the physical limitations when it comes to be able to have QC with high number of qbits, it seems that when it comes to Asymmetric crypto, ECDSA (given the limited number of bits and the impossibility to extend the number of bits without defining new curves) is the weakest choice compared to RSA with very long keys (e.g., 8K or 16K bits keys or even bigger...).
	In other words, given this scenario and setting aside considerations about signature sizes (although, we have seen an increase in computing resources in terms of processing power, bandwidth, and storage it seems that signature size is a big concern - AFAIK, mostly driven by IoT and similar environments - even more than 10yrs ago! and many WGs are using the size argument over the security argument in their specifications and suggestions), the more flexible and forward-secure choice would be to start using "oversized" RSA keys for asymmetric and for symmetric we can keep using AES 256 with relative confidence (assuming, as I said, that no new quantum-specific algorithms are discovered...)

	Does this summarizes the current situation? Are these (very simplistic) considerations correct? Anybody disagree with these statements? Why?

	Cheers,
Max
 

	-- 

	Massimiliano Pala, PhD

	Director at OpenCA Labs

	twitter: @openca_______________________________________________
Cfrg mailing list
Cfrg@irtf.org (mailto:Cfrg@irtf.org)
https://www.irtf.org/mailman/listinfo/cfrg (https://www.irtf.org/mailman/listinfo/cfrg)