IETF Logo Mail Archive

Re: [Cfrg] A terminology issue with "post-quantum cryptography"

Dan Brown <danibrown@blackberry.com> Fri, 18 August 2017 16:02 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E75AA1329D9 for <cfrg@ietfa.amsl.com>; Fri, 18 Aug 2017 09:02:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lPRSxKVt_DF2 for <cfrg@ietfa.amsl.com>; Fri, 18 Aug 2017 09:02:40 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202A41321DC for <cfrg@irtf.org>; Fri, 18 Aug 2017 09:02:40 -0700 (PDT)
X-Spoof:
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs213cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 18 Aug 2017 12:01:58 -0400
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 18 Aug 2017 12:02:38 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0319.002; Fri, 18 Aug 2017 12:02:37 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A terminology issue with "post-quantum cryptography"
Thread-Index: AQHTF1ZjYTwQzQbzSEaiw4aerLAloKKIvayQ
Date: Fri, 18 Aug 2017 16:02:37 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501B925F4@XMB116CNC.rim.net>
References: <AE20453A-163A-45DA-ACCD-56726AA3E316@gmail.com> <DB577FA0-AD0F-40F8-9A2A-9CA55D9D9CC5@cisco.com> <CAN40gStALAecOpuPBDdAM8T6a0EHr0Bo3xBvzO=zgQ2qK3DGmw@mail.gmail.com> <CAJU8_nXSi_8XpvAYm8yBy7gDwUuRw4F6VLTqjcp-5ueDiXuWYQ@mail.gmail.com> <5397C02D-A4C5-47CD-9383-E47D3262D8C4@icann.org> <20170817124313.2037.qmail@cr.yp.to>
In-Reply-To: <20170817124313.2037.qmail@cr.yp.to>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tlYo-0Q7JaQFF8o3yIcta3_nW6k>
Subject: Re: [Cfrg] A terminology issue with "post-quantum cryptography"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 16:02:42 -0000

How about quantum-prudent or quantum-cautious cryptography?
/*
I'm not a PQC researcher, so please feel free to ignore my $0.02.

Finding (brief) terminology for this topic seems difficult, mainly because of the extra conjectures and timing (see below).  But it is only terminology, so it is probably okay just to stick to a tradition, or okay to churn it up, or be imperfect.

There is a need (see below) for distinct terminology for task and the tool.  For example, McEliece (the tool) is (reasonably) conjectured to provide quantum-resistance (the task).  Postquantum crypto could a help as a noun for a generic tool (conjectured to be quantum-resistant).

There seems some value in specificity.  For example, ECC is rarely called post-factoring or sieving-resistant ,etc. (to address the non-zero risk of a faster classical-computer factoring or sieving algorithm), partly because that's not specific to ECC.

There is a need for quantum-resistance because of a non-negligible risk of quantum computer. But it is bad if pushes towards this need seem to imply dropping ECC, because that would trade one risk for another.  Terms like postquantum and quantum-resistant do little to remind us that a quantum computer is only conjectural, so these terms must often be accompanied by further clarifications and explanations (e.g., don't drop ECC).

Supplementing ECC or RSA with some kind of conjecturally quantum-resistant proposal pre-emptively is often justified (the cost is worth addressing the risk), but calling this "postquantum" does not go far enough to encourage this practice (because post suggests waiting) or clarify the timing (recall how NIST called forward secrecy backtracking resistance.)

Shor's algorithm makes it a certainty that a large-enough quantum computer would break RSA and ECC. Confusing that certainty with various PQC proposals being quantum-resistant is inaccurate.  In this regard, the leading terms postquantum and quantum-resistant overstate the case (as do quantum-prudent and quantum-cautious).  To this end, I tried to think up a short name more specific to Shor's algorithm, but only came up with silly jokes, such as shor-ward-secure, or vague techno terms like no-hidden-group.  (This strategy also completely ignores the symmetric key case and Grover's algorithm, but that situation is simpler.)
*/

v2.23.0 | Report a Bug | By Email