On Sun, Jan 25, 2015 at 5:37 PM, Hanno Böck <[email protected]> wrote: > On Sat, 24 Jan 2015 23:02:50 -0800 > Tao Effect <[email protected]> wrote: > >> Does SPHINCS also allow for encryption, or is it for generating >> secure signatures only? > > SPHINCS is signatures only. > > When you're looking for post quantum encryption you may want to have a > look at ring learning with errors. It's one of the more practical pq > encryption schemes out there. There was a talk at rwc recently: > http://files.douglas.stebila.ca/files/research/presentations/20150108-RWC.pdf
NTRU is also worth a look. But both the scheme presented at RWC and NTRU have issues with their actual security: the estimates of attacker time frequently ignore standard algorithms known to make RWE faster, and the claimed security arguments are loose. We don't have anything close to the level of understanding and research into jacobians of curves or even example computations recovering keys. > > And they even have some TLS cipher suites and code: > https://github.com/dstebila > https://github.com/dstebila/openssl-rlwekex > > However it should be considered that they choose pre-quantum security > levels. That means their 128 bit security can not be compared to the > 128 bit security of sphincs. It's only 64 bit post-quantum security > taking grovers algorithm into account. Huh? Grover's algorithm doesn't give a square root for every attack, only exhaustive search. Plus, there may be better quantum shortest vector algorithms. One example of a lattice based scheme that failed was SOLILIQUY. The best algorithm on a quantum computer was specially adapted to the scheme: merely turning the best classical algorithm quantum wouldn't work. > > Also: Don't trust it too much. This is an area where the only safe > advice is: more research is needed to know what's secure. We have very safe encryption via McElice. The issue is key sizes are very large. That's where a lot of the research is focused, and why things like ring-RWE are interesting. Sincerely, Watson Ladd > > cu, > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: [email protected] > GPG: BBB51E42 > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
