Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

["A. Huelsing" <ietf@huelsing.net>]

I am not sure if this reference already came up but let me add a large group of
people with their opinion.
The National Academies of Sciences, Engineering, and Medicine published the
following consensus report:

Quantum Computing <https://www.nap.edu/read/25196>
Progress and Prospects (2019)

Contributors are
National Academies of Sciences, Engineering, and Medicine; Division on
Engineering and Physical Sciences <https://www.nap.edu/author/DEPS>; Computer
Science and Telecommunications Board <https://www.nap.edu/author/CSTB>;
Intelligence Community Studies Board; Committee on Technical Assessment of the
Feasibility and Implications of Quantum Computing
<https://www.nap.edu/initiative/committee-on-technical-assessment-of-the-feasibility-and-implications-of-quantum-computing>;
Emily Grumbling and Mark Horowitz, Editors

Freely available at
https://www.nap.edu/catalog/25196/quantum-computing-progress-and-prospects

While it generally is an interesting read, I would like to draw your attention
to key finding 10 which says:

"Even if a quantum computer that can decrypt current cryptographic ciphers is
more than
a decade off, the hazard of such a machine is high enough—and the time frame for
transitioning to a new
security protocol is sufficiently long and uncertain—that prioritization of the
development,
standardization, and deployment of post-quantum cryptography is critical for
minimizing the chance of a
potential security and privacy disaster."

There also is the urgency caused by the problem that things sent encrypted today
can be stored and decrypted when a sufficiently large quantum computer is
available. But who would store all the encrypted traffic on the Internet....

I do agree that there are a lot of things to get wrong when rolling out new
crypto and that established schemes should be strictly preferred to old schemes
as long as those are still providing the necessary security guarantees.
Admittedly, I am not a pairings person but my impression is that pairings are
not really an example of a long established scheme that we totally figured out
how to implement.  

However, my feeling is that it will still take some time till PQC algorithms for
advanced functionalities are mature enough to be selected and, hence, if people
are already starting to use conventional algorithms of this kind it is probably
a good idea to agree on the right ones. I would just argue that we should make
sure that we can easily replace the conventional schemes we define now with PQC
schemes in the somewhat near future.

Andreas


Am 16-04-19 um 02:58 schrieb Peter Gutmann:
> Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> writes:
>
>> While not a quantum physicist myself, I do think you are downplaying the risks:
> Nor am I, but this guy is, or at least he's a theoretical physicist:
>
> https://spectrum.ieee.org/computing/hardware/the-case-against-quantum-computing
>
> with expected "case against the case" responses, the main one being that as a
> theoretical physicist he focuses on somewhat red-herring issues like the issue
> of working with continuous parameters rather than the more pressing practical
> issues of decoherence and error control, which is what's actually killing it
> at any scale beyond "toy lab experiment".
>
>> https://www.insidequantumtechnology.com
> That's sort of like going to Russia Today for news about Russia... I chose the
> IEEE ref as an example not because it's the perfect critique (it's actually
> somewhat flawed) but because they get technically knowledgeable people while
> not being outright QC cheerleaders.
>
>> that's not an excuse to ignore the upcoming threat on the algorithmic level.
> Sure, but you need to keep in mind when doing that that anything standardised
> by the CFRG will be immediately rushed into production by people with no
> understanding of how to correctly implement it, deploy it, and apply it,
> simply because it's trendy.
>
> Prediction: As soon as any significant standards body like the CFRG
> standardises PQC algorithms, there will be not just one but multiple PQC forks
> of Bitcoin/blockchain tech and/or new cryptocurrencies built on PQC, not
> because it's required or useful but just because it's there.  And the moment
> it's done there, the herd will follow because anything that BTC does has to be
> good.
>
> Anyone want to make a bet with me on this?  I'll take anything from "dinner at
> Tony's Steak House" to "your research funding for the next five years" as the
> stake, depending on how strongly you believe in PQC :-).
>
> Peter.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg