On Wed, Nov 19, 2014 at 11:37:39PM +0100, Aaron Zauner wrote:
> Yup, I meant the post-quantum stuff w.r.t. asking CFRG. I'm
> subscribed there, and some people working on exactly that topic
> are as well. But to be honest I don't see a pressing reason to
> do so right now.
You'll likely get a simple answer. The quantum attack on block
ciphers, were it to become practical, is IIRC a generic O(N)->O(sqrt(N))
search speedup. This is very much unlike the situation with RSA
or ECDH where the Shor attack is far more devastating.
There are IIRC no published quantum speedups against block ciphers
except for the generic one.
So while we may yet need new post-quantum asymmetric algorithms,
there is no dramatic need for new symmetric ones, just double the
keysize. As for NSA, they originally specified AES-192 for TOP
SECRET, but this never became popular in hardware (Intel AES-NI,
...) so the suite-B spec got changed to AES-256.
The whole thing boils down to how many years one's data must remain
secret, and how concerned one is about imminent scalable QC hardware.
I don't know whether the CFRG can answer either question, but I'd
guess that Scott Aaronson is not yet saving up to buy his first QC
PC on Amazon.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
