[Secdispatch] Clarification on my PQC remarks.

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 27 July 2022 02:32 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15DDBC13CCC3; Tue, 26 Jul 2022 19:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.413
X-Spam-Level:
X-Spam-Status: No, score=-1.413 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDAxPkLl43L3; Tue, 26 Jul 2022 19:32:29 -0700 (PDT)
Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90EBAC15BEC6; Tue, 26 Jul 2022 19:32:29 -0700 (PDT)
Received: by mail-oi1-f177.google.com with SMTP id n133so9217154oib.0; Tue, 26 Jul 2022 19:32:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OYppVNngSqK4UDzp9bj0BZ+dB0LEBPAVKM2jtZdeiAc=; b=1OtwWbIJjMorOX3vLV4ZLfF4f90ptg+IfmtXBLphm2elLMPSYBYPyA4rGSdyqFsjnZ 6QwbafuNRel+0Q5vAu8+el41GBHGKLu6lxg0RavlX/TE04cVGI+yvol73CG1TXXpiazf AdCXdovQ7Pa7ub91tfRfN3XPXaRHhTP0AuoiuYihC1DSY72Um1ZGecz/+eGPFnuBb4L3 qrrsgzQsuyYhT/g1Hmx8tww6tI2vG8MainmJH7QA3CBwKc7C8RkZOS4KF9ydJTLsNCsM fs5bEkyB3GeLDBZ3J8Bbmqmnk20Jk1exUy3d/VOuXWV57ResdvMWOpUtHbKs6bIKNtx6 +UGw==
X-Gm-Message-State: AJIora+Z7pXCs4WPtkEI6S8rAxcBoEjm5h6D6lsowCc7hE79bSwnE5Id EGWycgCJnVOdtOoLGhX7Zyjw4lr2KswM2PgGD0jx2AgURWk=
X-Google-Smtp-Source: AGRyM1sm5/ITjbq4ZlLzMOGKRzOnKBb02upcjambbAZFB7keGm9RV+ARUjTvEK1KaUk2JR2alc/q/PG/ppnFc6c6HFk=
X-Received: by 2002:a05:6808:124d:b0:322:3600:d84a with SMTP id o13-20020a056808124d00b003223600d84amr940654oiv.108.1658889148334; Tue, 26 Jul 2022 19:32:28 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 26 Jul 2022 22:32:17 -0400
Message-ID: <CAMm+LwhD+y+NM0GxgtqEGc-v6rGj+323peD2MTtsOQ3seW5RWQ@mail.gmail.com>
To: IETF SAAG <saag@ietf.org>, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006886bb05e4c03a07"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/8ymmXbzdTHJKskSik1iOcAOLc2o>
Subject: [Secdispatch] Clarification on my PQC remarks.
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 02:32:32 -0000

So to clarify my remarks at the mic on the likely arrival time of Quantum
Computers. I believe two things to be true:

1) It is highly unlikely that a Quantum Computer capable of doing quantum
cryptanalysis of current industry standard algorithms will be publicly
deployed in the immediate future

2) There is no time to waste in developing PQC systems.

My concern about overstating the likelihood of a near term threat is that I
have seen many past efforts predicated on a very very short timeline (12
months) take much much longer than they needed to (7 years) as a result. Oh
there is no time to consider your proposal, this has to be done immediately!

I do expect the process of transitioning to PQC to take a very long time
and not least because we don't even have a key exchange that works for
static data yet. Unless there is a clever El-Gamal type approach to turn an
interactive exchange into a static one. I have an approach that works for
the Mesh. It is a hybrid scheme because that is the only way I can achieve
the necessary separation of roles which I actually consider to be a much
bigger issue than PQC right now.

On the Quantum Computing technology side, it is probably a mistake to take
too much notice of the rate of progress in super cooled Josephson junction
machines. Those teams will likely continue to add Qbits or extend their
coherence times incrementally but at exponentially increasing cost.

Trapped ion machines offer an approach that is fundamentally much easier to
scale. They can be made in regular silicon foundries and the problem of
building a 10 Qbit machine is really no different from that of building a
thousand or a million. Fortunately, there are fundamental problems to be
solved before that can happen (if you are going to operate it for longer
than a second, it gets much harder). But if they do, the time interval
between 'barely functional quantum computer' to 'quantum computer breaking
any public key crypto system' is likely to be rather short.

So I agree with Russ and everyone else who says that we have to start now.
There is no time to waste. But if we want to move fast, we need to start
off by getting a broad base of people up to speed on these new technologies
and not be afraid to look at multiple approaches to retrofitting existing
protocols.

In some cases, adapting protocols to the PQC algorithms is going to be
straightforward but others are likely to require substantial adaptation and
in some cases the best approach will be to start from scratch.