[messaging] Do quantum attacks/algos also lead to compromise of PFS?

Watson Ladd watsonbladd at gmail.com
Mon Jan 26 19:30:01 PST 2015


On Sun, Jan 25, 2015 at 5:37 PM, Hanno Böck <hanno at hboeck.de> wrote:
> On Sat, 24 Jan 2015 23:02:50 -0800
> Tao Effect <contact at taoeffect.com> wrote:
>
>> Does SPHINCS also allow for encryption, or is it for generating
>> secure signatures only?
>
> SPHINCS is signatures only.
>
> When you're looking for post quantum encryption you may want to have a
> look at ring learning with errors. It's one of the more practical pq
> encryption schemes out there. There was a talk at rwc recently:
> http://files.douglas.stebila.ca/files/research/presentations/20150108-RWC.pdf

NTRU is also worth a look. But both the scheme presented at RWC and
NTRU have issues with their actual security: the estimates of attacker
time frequently ignore standard algorithms known to make RWE faster,
and the claimed security arguments are loose. We don't have anything
close to the level of understanding and research into jacobians of
curves or even example computations recovering keys.

>
> And they even have some TLS cipher suites and code:
> https://github.com/dstebila
> https://github.com/dstebila/openssl-rlwekex
>
> However it should be considered that they choose pre-quantum security
> levels. That means their 128 bit security can not be compared to the
> 128 bit security of sphincs. It's only 64 bit post-quantum security
> taking grovers algorithm into account.

Huh?  Grover's algorithm doesn't give a square root for every attack,
only exhaustive search. Plus, there may be better quantum shortest
vector algorithms.

One example of a lattice based scheme that failed was SOLILIQUY. The
best algorithm on a quantum computer was specially adapted to the
scheme: merely turning the best classical algorithm quantum wouldn't
work.

>
> Also: Don't trust it too much. This is an area where the only safe
> advice is: more research is needed to know what's secure.

We have very safe encryption via McElice. The issue is key sizes are
very large. That's where a lot of the research is focused, and why
things like ring-RWE are interesting.

Sincerely,
Watson Ladd

>
> cu,
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin


More information about the Messaging mailing list