Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

Andy Lutomirski <luto@amacapital.net> Thu, 27 March 2014 22:02 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741FE1A06B2 for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 15:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBYtMXBpiCtk for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 15:02:02 -0700 (PDT)
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com [209.85.192.182]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD761A03DA for <tls@ietf.org>; Thu, 27 Mar 2014 15:02:02 -0700 (PDT)
Received: by mail-pd0-f182.google.com with SMTP id y10so3984011pdj.27 for <tls@ietf.org>; Thu, 27 Mar 2014 15:02:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=ueTwsP65WlWPP5vMRdsOal3/XGrOGjXOjXPXLuCGk6E=; b=jiGi9oJQs5JwIMm3p3+uv0gBKv+0/Z3G46W7qOUet4Spb8ULHoRKSKWj3SZVogqiRd fArMcLnnCDLeyNKfy95BPbYI9k/fzBAXrUJ0vTF5V0q44KSsbRov/PpzEx1u2UIuTh9o rHo1BshNRMRJLKkOvyLSDhVoCO6J1arFxDFa6ViZ8Vrx76PSbW8le9DW6/CqblgTpc9+ 1tzuwc8RKUSJ6STWzTqzbQDjhglISpzS+7jqLKqEt0CtG6veY9M928Os5xtmxL13zyv+ r3uR/Zi/SVKwJtzskh+xcDjJb8Xhgux9XCCt+cT+QuF8/mndwsrrnlJHdUsaeJhlh2lI 58FQ==
X-Gm-Message-State: ALoCoQm+RQXCOyMpw9RbMzGFEBCQz5pfL3tSeBaieHxMfbciw7hZz/TGTuzTP/AYw8cxkV2GL84a
X-Received: by 10.66.21.7 with SMTP id r7mr4354819pae.135.1395957720456; Thu, 27 Mar 2014 15:02:00 -0700 (PDT)
Received: from amaluto.corp.amacapital.net (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73]) by mx.google.com with ESMTPSA id iu10sm13755973pbd.71.2014.03.27.15.01.59 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 15:01:59 -0700 (PDT)
Message-ID: <53349FD6.8070909@mit.edu>
Date: Thu, 27 Mar 2014 15:01:58 -0700
From: Andy Lutomirski <luto@amacapital.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tls@ietf.org
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <20140326211219.27D281AC7D@ld9781.wdf.sap.corp> <20140327095527.5335c7fa@hboeck.de> <20140327115551.GA24503@randombit.net> <6f43d6c5-b70f-4a80-98e6-f653011317c7@email.android.com> <20140327140100.0b98c4b5@hboeck.de>
In-Reply-To: <20140327140100.0b98c4b5@hboeck.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KCIhajSQHVZTapqr0TvDnnFRBck
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 22:02:04 -0000

On 03/27/2014 06:01 AM, Hanno Böck wrote:
> On Thu, 27 Mar 2014 12:27:17 +0000
> It will be easier to build a quantum computer to break 512 bit keys
> than one to break 4096 bit keys. That's why in a word where quantum
> computers become a reality I'd rather go with RSA+DHE with large
> key/modulus than with anything from the ECC family.

Barely.

With my quantum cryptography hat on, I think this is a pointless thing
to design in.  If you can build a big enough quantum computer to run any
of the period-finding / hidden subgroup algorithms, then it seems
extremely likely that you have a real fault-tolerant machine with a real
memory interconnect.  At that point, the machine size scales pretty much
linearly with the size of the group.

It's a bit different if the attacker has an adiabatic machine, but I'd
be absolutely shocked if the first machine to run Shor's algorithm is
adiabatic.

--Andy