[CFRG] CFRG and crypto-threatening quantum computers

"Riad S. Wahby" <rsw@jfet.org> Fri, 17 September 2021 21:56 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E5DE73A1814 for <cfrg@ietfa.amsl.com>; Fri, 17 Sep 2021 14:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id lsJdDJeuSk0B for <cfrg@ietfa.amsl.com>; Fri, 17 Sep 2021 14:56:26 -0700 (PDT)
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CA963A1812 for <cfrg@ietf.org>; Fri, 17 Sep 2021 14:56:25 -0700 (PDT)
Received: by mail-wr1-f52.google.com with SMTP id u15so17348976wru.6 for <cfrg@ietf.org>; Fri, 17 Sep 2021 14:56:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=TAdne/kVmHlJyF4p/a5i4Ge9vGnfe1MBUaYJdmGiO1A=; b=1krvihISuqlbrya/NRRsA0dP/8WHuJizEizhJ5Q6VMkXxkSz9GsYK7u3XC5Hw+jJDe GXiCHtvccW2VCerw9xUIW+0ILV20667xe1WHAfzVbavwRsDo/1vFGXmagOmRRUKwOgkW 6T30qUh3/V+M0Clq6Ny/+Exc9iyKuI4adRgeSTDKCMB+/1LA0etaL+5jezcE0LryT8oO oGl2fR0p+VeEV/tcfXcr+SnHJFB18J2II2VNwV6hlML3uWlOkGF+0losmO7xwYcS4aGr lk6l2eQHvJ9qwMQFyvZXec2atDNfBDSF9vJ4IopaZW46ugq8TDaEBgNBaenC6zuObNYx eEvA==
X-Gm-Message-State: AOAM530M4ZkAZX1x3rXA7ArFPUH72o7ZA5gtzmfB4p/GbEHMiVSDOezc +csFOoS0HWm9y4pS6rfmV9JhMsOpoxQ=
X-Google-Smtp-Source: ABdhPJxYjbRKo0ba9uo+XM6+fvpzHUschp8nB8TDaR0Mw/+FWAkmk6z4dJAy82dRT7jjFRd2/OG0Ug==
X-Received: by 2002:a5d:4b10:: with SMTP id v16mr14488585wrq.176.1631915784386; Fri, 17 Sep 2021 14:56:24 -0700 (PDT)
Received: from localhost (mobile-166-177-57-109.mycingular.net. []) by smtp.gmail.com with ESMTPSA id k4sm7752408wrv.24.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 17 Sep 2021 14:56:23 -0700 (PDT)
Date: Fri, 17 Sep 2021 17:56:21 -0400
From: "Riad S. Wahby" <rsw@jfet.org>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "<cfrg@ietf.org>" <cfrg@ietf.org>
Message-ID: <20210917215621.q675hgb77nlejshj@kaon.local>
References: <03b5ea0e-cf1a-8edf-d642-2fb4b2e458fd@htt-consult.com> <CACsn0ckZbA4=Xe+Lc1w5bc5os8Ekeh9q7AAxknknwrrBZ0R-KQ@mail.gmail.com> <E0D027B0-089E-4402-BD65-38ADEABC3351@ll.mit.edu> <CAEseHRoH941WndaQmL8F=4w6BLkfjCaxa8mKP14bjNUEz2MRfw@mail.gmail.com> <00DA2E69-D80A-4CA7-B744-97B30F237501@ll.mit.edu> <20210917184114.4gnz7g4dl7euf5po@kaon.local> <A3231C7A-6DA6-47A9-96B7-0A90339EFB7F@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <A3231C7A-6DA6-47A9-96B7-0A90339EFB7F@ll.mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/si5vSfR5EYrlFZI8s6a3xLXfcWo>
Subject: [CFRG] CFRG and crypto-threatening quantum computers
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2021 21:56:29 -0000

Hello Uri,

(Changed the subject line since we're pretty off-topic here.)

It seems silly for us to go back and forth point-by-point, especially
since most of our specific disagreements are minor and definitional.

    (e.g., What does CFRG do? Depends who you ask. From a research
    cryptographer's point of view the things we're documenting right
    now---pairing-friendly curves, hashing to curves, etc.---are
    roughly the same vintage as S/MIME!)

    (e.g., is USG making new quantum-susceptible standards? Well,
    should we count NIST's adding Ed25519 to FIPS-186?)

The high-level question is whether CFRG should act as if it's all but
certain that crypto-threatening quantum computers will exist in the
next few years. I think no; reasonable people can certainly disagree.
But let's try to avoid spitting contests. We will win by reaching
consensus, not by saying the cleverest things.

In that vein:

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> wrote:
> >    This argument does not seem productive: essentially all cryptography
> >    is based on hardness assumptions that have not been proved or disproved
> >    (and, given our current knowledge, seem unlikely to be). If we accept
> >    the above argument, the logical conclusion seems to be "disband CFRG".
> You equate "make new designs quantum-resistant" with "let's disband CFRG"??? Hmm...

The argument was: "there is no way to prove or disprove convincingly
this [security] concern", in the context of constructing crypto-threatening
quantum computers, implies "make all new designs quantum-resistant."

The point is, this doesn't go nearly far enough: "there is no way
to prove or disprove convincingly this [security] concern", in the
context of cryptography more broadly (and given prevailing beliefs
vis-a-vis complexity theory), implies "give up".

But we both agree that's absurd. So maybe we should rethink the premise