[messaging] Do quantum attacks/algos also lead to compromise of PFS?

D. J. Bernstein djb at cr.yp.to
Sat Jan 24 21:06:02 PST 2015

Two comments on terminology.

1. "Forward secrecy" (especially "perfect forward secrecy") frequently
deceives users into thinking that their communication is protected
against future cryptanalytic advances, notably quantum computers.

In the MinimaLT paper we switched terminology from "forward secrecy" to
"key erasure". Erasing keys clearly does nothing against cryptanalysis:
at best it stops someone who steals your notes of the keys. This phrase
also allows easy quantification: e.g., "key erasure after a minute" or
"key erasure as soon as the next message is received".

2. When people say that a "post-quantum" system "has 2^128 security",
what they typically mean is that the system

   * has 2^128 security against known _pre-quantum_ attacks and
   * retains _some_ security against post-quantum attacks,

but it's rare for the _post-quantum security level_ to be quantified.
It's reasonable to expect Grover-type attacks to break most of these
systems with far fewer quantum operations, maybe as few as 2^64, which
isn't good enough for long-term security.

One exception is SPHINCS (http://sphincs.cr.yp.to): we explicitly
targeted a 2^128 post-quantum security level. We're encouraging people
to do this type of analysis and parameter selection for more systems.


More information about the Messaging mailing list