Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies

"Grigory Marshalko" <> Mon, 11 April 2016 20:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 951F612F455 for <>; Mon, 11 Apr 2016 13:48:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.996
X-Spam-Status: No, score=-2.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LAdhDPgbaOTx for <>; Mon, 11 Apr 2016 13:48:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DFB1712F456 for <>; Mon, 11 Apr 2016 13:48:43 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTPSA id 2E26D3003E7; Mon, 11 Apr 2016 23:48:40 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 2E26D3003E7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mx; t=1460407721; bh=vsEF9e1pSpqtnlhKuF82kpvbKVj2zdFfZrUuuTzRyls=; h=Date:From:Subject:To:In-Reply-To:References:From; b=bZb6TdrP1WeMZwBlanKFLwEMs79nhtKEWCrgkMzUvw/EpiHb1HyMCstHwE9z1ht14 ZdfipKHuZdbcCgF21CnoBJbDxFrYpd8a8YQKpBHYtKAzN1kVn446lKRoKg1NKPvtBL o19yGUgrrLrmitcQzcS9DnfrUYV9KKy3YctbSzeA=
Mime-Version: 1.0
Date: Mon, 11 Apr 2016 20:48:39 +0000
Content-Type: multipart/alternative; boundary="--=_RainLoop_458_425210050.1460407719"
Message-ID: <>
X-Mailer: RainLoop/
From: Grigory Marshalko <>
To: "Dr. Pala" <>,
In-Reply-To: <>
References: <>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 94495 [Apr 11 2016]
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 4067419, 4067447, 4067327
X-KLMS-AntiSpam-Info: LuaCore: 419 419 24d92320b28ecafcc7e43d1a024ab7fa6f09466f,;;;;,7.1.1;;, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2016/04/11 08:42:06
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version, bases: 2016/04/11 09:40:00 #7475791
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <>
Subject: Re: [Cfrg] [MASSMAIL] Quantum Computing and Crypto Policies
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Apr 2016 20:48:46 -0000

Not only described issues.
Two recent papers also address the post-quantum security of block cipher modes and MACs. ( (
Grigory Marshalko,
Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)

11 апреля 2016 г., 17:33, "Dr. Pala"  написал:
Hi all,

At the CFRG meeting, I have appreciated the presentation about QC in the sense that inspired to think about the future in a more practical way (although there was probably not much agreement on how to proceed forward).

I have also been following the conversation about the post-quantum computing crypto resistance and I am trying to figure out - given what we know about possible quantum computing which, as Tim pointed out during the meeting, is still very little - what types of policies can be implemented today that would allow us to be a bit more resilient to attacks in the post quantum-computing environment (i.e., not being taken by surprise since deploying of new crypto can take several years in the real world despite the algorithm agility we have in current standards). I will try to summarize the two main points:
	* Symmetric crypto is still relatively secure. Using 256bits keys (e.g., AES 256) should provide enough confidentiality for the time being (this is already a common practice in the industry as the overhead compared to 128bits is negligible) - so we are relatively safe here.
	* Given the physical limitations when it comes to be able to have QC with high number of qbits, it seems that when it comes to Asymmetric crypto, ECDSA (given the limited number of bits and the impossibility to extend the number of bits without defining new curves) is the weakest choice compared to RSA with very long keys (e.g., 8K or 16K bits keys or even bigger...).
	In other words, given this scenario and setting aside considerations about signature sizes (although, we have seen an increase in computing resources in terms of processing power, bandwidth, and storage it seems that signature size is a big concern - AFAIK, mostly driven by IoT and similar environments - even more than 10yrs ago! and many WGs are using the size argument over the security argument in their specifications and suggestions), the more flexible and forward-secure choice would be to start using "oversized" RSA keys for asymmetric and for symmetric we can keep using AES 256 with relative confidence (assuming, as I said, that no new quantum-specific algorithms are discovered...)

	Does this summarizes the current situation? Are these (very simplistic) considerations correct? Anybody disagree with these statements? Why?


	-- Massimiliano Pala, PhD Director at OpenCA Labs twitter: @openca