IETF Logo Mail Archive

Re: [IPsec] Modp-12288 and Modp-16384

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Wed, 18 July 2018 18:27 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 908C3130EC5 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 11:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaIHdzk7vrbT for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 11:27:36 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B418B130EB2 for <ipsec@ietf.org>; Wed, 18 Jul 2018 11:27:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3455; q=dns/txt; s=iport; t=1531938456; x=1533148056; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=WO0wxJolJKfYq/E1W+DEtQBcUtmvXwXp/Bu71DHLZCs=; b=mwa/HEg3iiR5K0e0zk8x4lpNtaTIBr2+K3vKARRFBDBz7uV9W+wG1uSM yOlgUJhIG1pSJSmURTMemBwLK6kg242TfyeLcXCEk0CcKQi6fXRqiNUXQ A/HuwcLaOMwDu/7bcsQ0nHBuyYvWUP67wmELzbbinNWSZ52qiDEKhUm0w g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C+AAA+hU9b/5xdJa1cGQEBAQEBAQEBAQEBAQcBAQEBAYNJY38oCot4jCyCDHWURIF6Cx+ETQKCeSE0GAECAQECAQECbRwMhTYBAQECAQE6PwUHBAIBCBEEAQEfEDIdCAIEDgUIgxmBdwgPqx+KRwWJAoFXP4ERglw1gxkDhzUCmWAJAoYIiRWNbgqKMYc1AhEUgSQdOIFScBWDJIsVhT5vAYtvgRoBAQ
X-IronPort-AV: E=Sophos;i="5.51,371,1526342400"; d="scan'208";a="415283476"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 18:27:35 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id w6IIRZWn020786 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Jul 2018 18:27:35 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 18 Jul 2018 14:27:34 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Wed, 18 Jul 2018 14:27:34 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABFW+A///q+XA=
Date: Wed, 18 Jul 2018 18:27:34 +0000
Message-ID: <194410e85ae845f690944e6b354427b4@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi>
In-Reply-To: <23375.24083.491329.962989@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/5a-_e9Dspf5jwHbzgMnR87JioHo>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 18:27:40 -0000

> -----Original Message-----
> From: Tero Kivinen <kivinen@iki.fi>
> Sent: Wednesday, July 18, 2018 11:35 AM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
> Cc: ipsec@ietf.org; paul.hoffman@icann.org
> Subject: Re: [IPsec] Modp-12288 and Modp-16384
> 
> Scott Fluhrer \(sfluhrer\) writes:
> > > That we do not know until we know what those quantum computers can
> > > really do... I have not seen anybody saying how many qbits you need
> > > to break MODP-2048.
> >
> > It's about twice as many as you need to factor a 2048 bit composite;
> > so about 4k (logical) qubits.
> >
> > > Most of the things I have seen talks about factoring RSA, and even
> > > then they do not provide numbers.
> >
> > How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n bit
> > number, you can do it with circa 2n qubits.
> >
> > If you want other references, we have
> > https://arxiv.org/abs/1611.07995 and
> > https://arxiv.org/pdf/1706.07884.pdf both with similar results. We
> > also have https://arxiv.org/abs/quant-ph/0601097 which suggests a way
> > with 1.5n qubits; however that paper makes some assumptions about
> > errors that might not be true.
> 
> It would be good idea to get draft-hoffman-c2pq updated with these
> references.
> 
> > Of course, these papers are focusing in on minimizing the number of
> > qubits; it's quite possible a trade-off that increases the number of
> > qubits, while decreasing the number of (say) T gates, would be
> > advantageous; we don't know enough about the relative costs to know.
> 
> Yep, and how many bits we need more because of error correcting stuff etc.

It multiplies it by a factor of N, whose value depends on the quantum error correction algorithm.

In the quantum computing space, they mostly talk about "logical queue bits", that is, they assume that the error correction problem is already solved (unless, of course, they are specifically working on quantum error correction algorithms).

> 
> > > draft-hoffman-c2pq also says that we might have machines breaking
> > > AES-128 before than we have machines that can break Diffie-Hellman,
> > > i.e., it is most likely easier to make machine running Grover's
> > > algorithm than machine running Shor's algorithm.
> >
> > That work totally ignores the amount of time we're talking about with
> > O(2**64) computations (and parallelization is less helpful than usual;
> > Grover's becomes less efficient the more we parallelize it).
> 
> Any idea how many computations needs to be done for the shor's algorithm,
> i.e., breaking 2048 bit Diffie-Hellman. I have just seen text saying it is
> polynominal time, but I have not really seen any guesses what the actual
> numbers are going to be.

Very good question; the references I find all essentially say "cubic"; however they don't immediately talk about the constant factor.  I suspect that this constant factor won't be that large; however that most certainly merits further investigation.

> And I understand that there is also quite big
> classical computation pre- and post-processing steps too.

Not really; there is computation needed there, but it is quite straight-forward.

Shor's algorithm gives you a value k where a^x = a^(x+k) mod n; once you have that value k, factoring n is a well understood (and fairly easy) problem, solvable by, say, Miller's algorithm.

v2.23.0 | Report a Bug | By Email