[messaging] Do quantum attacks/algos also lead to compromise of PFS?
Tao Effect
contact at taoeffect.com
Sat Jan 24 23:02:50 PST 2015
Thanks Dan!
> One exception is SPHINCS (http://sphincs.cr.yp.to): we explicitly
> targeted a 2^128 post-quantum security level. We're encouraging people
> to do this type of analysis and parameter selection for more systems.
Does SPHINCS also allow for encryption, or is it for generating secure signatures only?
Have you any comments about SIDH btw? According to this, it claims to provide forward secrecy:
https://en.wikipedia.org/wiki/Supersingular_Isogeny_Key_Exchange
BTW, I smiled and lol'd at:
Special note to law-enforcement agents: The word "state" is a technical term in cryptography. Typical hash-based signature schemes need to record information, called "state", after every signature. Google's Adam Langley refers to this as a "huge foot-cannon" from a security perspective. By saying "eliminate the state" we are advocating a security improvement, namely adopting signature schemes that do not need to record information after every signature. We are not talking about eliminating other types of states. We love most states, especially yours! Also, "hash" is another technical term and has nothing to do with cannabis.
:-)
- Greg
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Jan 24, 2015, at 9:06 PM, D. J. Bernstein <djb at cr.yp.to> wrote:
> Two comments on terminology.
>
> 1. "Forward secrecy" (especially "perfect forward secrecy") frequently
> deceives users into thinking that their communication is protected
> against future cryptanalytic advances, notably quantum computers.
>
> In the MinimaLT paper we switched terminology from "forward secrecy" to
> "key erasure". Erasing keys clearly does nothing against cryptanalysis:
> at best it stops someone who steals your notes of the keys. This phrase
> also allows easy quantification: e.g., "key erasure after a minute" or
> "key erasure as soon as the next message is received".
>
> 2. When people say that a "post-quantum" system "has 2^128 security",
> what they typically mean is that the system
>
> * has 2^128 security against known _pre-quantum_ attacks and
> * retains _some_ security against post-quantum attacks,
>
> but it's rare for the _post-quantum security level_ to be quantified.
> It's reasonable to expect Grover-type attacks to break most of these
> systems with far fewer quantum operations, maybe as few as 2^64, which
> isn't good enough for long-term security.
>
> One exception is SPHINCS (http://sphincs.cr.yp.to): we explicitly
> targeted a 2^128 post-quantum security level. We're encouraging people
> to do this type of analysis and parameter selection for more systems.
>
> ---Dan
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150124/05204ca9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150124/05204ca9/attachment.sig>
More information about the Messaging
mailing list