IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-08

Benjamin Kaduk <kaduk@mit.edu> Fri, 08 November 2019 20:53 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51BB4120D34; Fri, 8 Nov 2019 12:53:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1mwcoNxqVgLc; Fri, 8 Nov 2019 12:53:00 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F323120D37; Fri, 8 Nov 2019 12:53:00 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xA8KqofA022081 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 8 Nov 2019 15:52:52 -0500
Date: Fri, 08 Nov 2019 12:52:49 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: Valery Smyslov <svan@elvis.ru>, "draft-ietf-ipsecme-qr-ikev2.all@ietf.org" <draft-ietf-ipsecme-qr-ikev2.all@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Message-ID: <20191108205249.GL47216@kduck.mit.edu>
References: <20191105023831.GH55993@kduck.mit.edu> <058d01d593e5$0be7eb80$23b7c280$@elvis.ru> <20191105195939.GH61969@kduck.mit.edu> <06dd01d59476$befb9c30$3cf2d490$@elvis.ru> <BN8PR11MB3666417EBA2DDA0378D56D37C1790@BN8PR11MB3666.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BN8PR11MB3666417EBA2DDA0378D56D37C1790@BN8PR11MB3666.namprd11.prod.outlook.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/kPgqYP9ElGrHebC-L48H92td8R0>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 20:53:09 -0000

On Wed, Nov 06, 2019 at 04:42:27PM +0000, Scott Fluhrer (sfluhrer) wrote:
> > -----Original Message-----
> > From: Valery Smyslov <svan@elvis.ru>
> > Sent: Wednesday, November 06, 2019 2:50 AM
> > To: 'Benjamin Kaduk' <kaduk@mit.edu>
> > Cc: draft-ietf-ipsecme-qr-ikev2.all@ietf.org; ipsec@ietf.org
> > Subject: RE: AD review of draft-ietf-ipsecme-qr-ikev2-08
> > 
> > 
> > > > >    It is an open question whether or not it is feasible to build a
> > > > >    Quantum Computer (and if so, when one might be implemented),
> > > > > but if
> > > > >
> > > > > Feasibility of some quantum computer is becoming much less of an
> > > > > open question; perhaps we want some qualifiers about efficiency,
> > > > > scale, and/or general-purpose-nature.
> > > >
> > > > Do you have any data or pointers?
> > >
> > > I'm mostly just thinking about press releases from D-WAVE and Google
> > > that get turned into articles in the technology press.  We see
> > > headlines about
> > > 60+ q-bit machines, that more likely than not are doing *something*.
> > > 60+ So in
> > > my mind it becomes a question of whether what these machines (that
> > > exist and are being sold) are doing is useful for the problems
> > > relevant to a given technology, rather than whether a quantum computer
> > > exists.  (I'm not even sure that there's a generally accepted
> > > definition for what "quantum computer" means -- some people seem to
> > > use it for just annealing-based
> > > stuff.)
> > 
> > Probably, if we add a qualifier "full-scale Quantum Computer" then the text
> > will become less questionable? Something like this:
> > 
> >      It is an open question whether or not it is feasible to build a large-scale
> > Quantum Computer
> >       (and if so, when one might be implemented), but if it is, many of the
> > cryptographic algorithms
> >       and protocols currently in use would be insecure.
> > 
> > Or are you suggesting to rephrase the sentence completely? E.g.:
> > 
> >     Recent achievements in developing Quantum Computers (QC)
> > demonstrate that
> >     it is probably feasible to build a large scale QC. If such a QC is implemented,
> >     many of the cryptographic algorithms and protocols currently in use would
> > be insecure.
> 
> I'd suggest using the phrase "cryptographically significant Quantum Computer".  The problems that you find in cryptography do need more qubits than current Quantum Computers possess; however they also need to perform millions of operations without significant error, and that would appear to be a more serious hurdle.

This is the best suggestion I've heard so far, thanks.

> > 
> > > > >    would be compromised.  IKEv1 [RFC2409], when used with strong
> > > > >    preshared keys, is not vulnerable to quantum attacks, because those
> > > > >    keys are one of the inputs to the key derivation function.  If the
> > > > >    preshared key has sufficient entropy and the PRF, encryption and
> > > > >    authentication transforms are postquantum secure, then the resulting
> > > > >    system is believed to be quantum resistant, that is, invulnerable to
> > > > >    an attacker with a Quantum Computer.
> > > > >
> > > > > Do we have a reference for this "it is believed", or is it just
> > > > > the outcome of the WG discussions?
> > > >
> > > > I'll let my co-authors comment on this, but I think it is meant that
> > > > according to our best current knowledge nothing better than Grover's
> > > > algorithm can be used to break symmetric key cryptosystem with QC.
> > > > And Grover's algorithm only halves an effective key length, so if
> > > > longer PSK is used, we're safe (we believe we are).
> > >
> > > To be clear: I share this belief! :)
> > > I am just asking if it is sufficiently well-known/widespread that no
> > > reference is needed; that may well be the case.
> > 
> > I believe it is, but I again prefer someone more knowledgeable in QC than
> > myself to comment.
> 
> Breaking it down, we come up with four propositions:
> - Grover's attack would require a huge number of operations against a sufficiently long secret.
> - This huge number of operations is infeasible against any plausible operation.
> - Any attack better than Grovers would require attacking the function at a lower level than a black box
> - No such insight is known.
> 
> The first can easily be cited (e.g. the original Grover paper).  The second one is generally believed, but the exact length of the secret would depend on the eventual speed/scale of a quantum computer, which is somewhat unknown.
> The third is also citable (again, the original Grover paper).  The fourth is problematic, because it is essentially an argument from a lack of knowledge.
> 
> Personally, I believe that this sort of argument is well known enough (at least, to the people who know postquantum cryptography) that it would not be required.

I've heard enough people say this that I'm convinced.

Thanks for having the discussion!

-Ben

v2.23.0 | Report a Bug | By Email