IETF Logo Mail Archive

Re: [IPsec] Modp-12288 and Modp-16384

Tero Kivinen <kivinen@iki.fi> Wed, 18 July 2018 15:35 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A09130F63 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVlO982p9AbM for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:35:18 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C750E1311AC for <ipsec@ietf.org>; Wed, 18 Jul 2018 08:35:17 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6IFYivd016646 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 18 Jul 2018 18:34:44 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6IFYhot011911; Wed, 18 Jul 2018 18:34:43 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23375.24083.491329.962989@fireball.acr.fi>
Date: Wed, 18 Jul 2018 18:34:43 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, paul.hoffman@icann.org
In-Reply-To: <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 22 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oTcTKosPGm7Q1Qr__USHIXDEuhI>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 15:35:20 -0000

Scott Fluhrer \(sfluhrer\) writes:
> > That we do not know until we know what those quantum computers can
> > really do... I have not seen anybody saying how many qbits you need to
> > break MODP-2048.
> 
> It's about twice as many as you need to factor a 2048 bit composite;
> so about 4k (logical) qubits.
> 
> > Most of the things I have seen talks about factoring RSA,
> > and even then they do not provide numbers.
> 
> How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n
> bit number, you can do it with circa 2n qubits.
> 
> If you want other references, we have
> https://arxiv.org/abs/1611.07995 and
> https://arxiv.org/pdf/1706.07884.pdf both with similar results. We
> also have https://arxiv.org/abs/quant-ph/0601097 which suggests a
> way with 1.5n qubits; however that paper makes some assumptions
> about errors that might not be true.

It would be good idea to get draft-hoffman-c2pq updated with these
references. 

> Of course, these papers are focusing in on minimizing the number of
> qubits; it's quite possible a trade-off that increases the number of
> qubits, while decreasing the number of (say) T gates, would be
> advantageous; we don't know enough about the relative costs to know.

Yep, and how many bits we need more because of error correcting stuff
etc. 

> > draft-hoffman-c2pq also says that we might have machines breaking
> > AES-128 before than we have machines that can break Diffie-Hellman, i.e., it
> > is most likely easier to make machine running Grover's algorithm than
> > machine running Shor's algorithm.
> 
> That work totally ignores the amount of time we're talking about
> with O(2**64) computations (and parallelization is less helpful than
> usual; Grover's becomes less efficient the more we parallelize it).

Any idea how many computations needs to be done for the shor's
algorithm, i.e., breaking 2048 bit Diffie-Hellman. I have just seen
text saying it is polynominal time, but I have not really seen any
guesses what the actual numbers are going to be. And I understand that
there is also quite big classical computation pre- and post-processing
steps too.

> Also, the interesting algorithms in Quantum Chemical modelling are
> significantly different from Grover's.  It's possible that there are
> some proposed protein folding problems that would use Grover's... 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email