No, I can't point to real quantum computers larger than a handful of qubits. When I saw these (http://www.nature.com/ncomms/2015/150429/ncomms7979/full/ncomms7979.html and http://www.nature.com/nature/journal/v519/n7541/full/nature14270.html) earlier this year, it was the first indication to me that the emergence of real quantum computers of significant capability may be closer than I previously expected. I was not expecting the fidelity problem to be resolved for some time to come yet, but this is a (the?) fundamental impediment to real QCs. If it's resolved (and I don't know for certain that it will be by these methods) then progress may be relatively quick. With that in mind, I inferred from the suite B update that NSA judges progress in the area of producing viable quantum computers of sufficient capability to be on the horizon too. Going back to, and expanding on, the text of the announcement that Dan quoted in kicking this all off:
"For example, CSfC deployments involving an IKE/IPsec layer may use RFC 2409-conformant implementations of the IKE standard (IKEv1) together with large, high-entropy, pre-shared keys and the AES-256 encryption algorithm. RFC 2409 is the only version of the IKE standard that leverages symmetric pre-shared keys in a manner that may achieve quantum resistant confidentiality. Additionally, MACsec key agreement as specified in IEEE 802.1X-2010, and the RFC 4279 TLS specification provide further options for implementing quantum resistant security measures today. These options also involve key agreement schemes that leverage large symmetric pre-shared keys. With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability." A key part of Shor's algorithm that benefits from a QC is essentially parallelized brute force attack on the inversion of the "hard" problem on which the cryptosystem is based, whether that's computing a discrete factorization, discrete logarithm or an elliptic curve discrete logarithm. In that case the time to compute a solution is proportional to O(N/2) for N-bits keys, and inversely proportional to the number of qubits that can be brought to bear on the problem. As "small" QCs will almost certainly be available before larger ones, systems based on smaller keys will fall to those attacks earlier than larger ones, and the difference will be sizeable. So large RSA keys, or DH keys, will require much larger quantum computers to break than for ECC keys of 256 or 384 bits. If the error correction capabilities don't continue to scale up easily, then larger keys of other crypto systems may remain secure significantly longer. Like you, I looked for some direct statement that the capability would be available in a reasonable timeframe, but I wasn't surprised not to see it. Mike -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, August 19, 2015 13:49 To: Mike Borza <[email protected]> Cc: [email protected]; [email protected]; [email protected] Subject: Re: [IPsec] PSK mode > On Aug 19, 2015, at 1:32 PM, Mike Borza <[email protected]> wrote: > > They don't mention IKEv2. I don't know IKEv2 well enough to know whether > there are any symmetric PSK authentication schemes, but if not, perhaps there > should be. The point they're making is that the ECC-based authentication > methods become insecure when quantum computers of sufficient power become > available, and in light of recent progress in the field the indications are > that they will become available in a reasonably short timeframe. (And they > should know that timeframe better than just about anybody else.) I view this > as an indication that they believe there may be viable QCs of that capability > in the five to ten years timeframe. Could you point to references that discuss real quantum computers? I spent a while reading on this subject within the past year, and as far as I could tell, quantum computers are a very interesting theory but none yet exist in practice. I looked for a description of thise “Suite B algorithms” but it wasn’t obvious. Doesn’t PSK involve Diffie-Hellman key agreement? I thought that Shor’s algorithm (or a generalization of it) addresses the discrete log problem. paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
