[cabfpub] Quantum Computing is now a concern.
Dean Coclin
Dean_Coclin at symantec.com
Tue Jul 12 15:22:06 UTC 2016
Phillip,
Thank you. Since you could not attend the last call, I've added a slot for next week's call (21st) if you can make that?
Thanks
Dean
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of philliph at comodo.com
Sent: Tuesday, July 12, 2016 10:58 AM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Quantum Computing is now a concern.
At the last IETF, there was a CFRG presentation on the latest state of Quantum Computing. It seems that the technology that has been ten years away for the past 20 years is now maybe as little as 4 years away. And thus we have to start being concerned about the risk of Quantum attacks within the ten year algorithm security window.
There are actually two separate sets of concerns. The first is the risk of an actual break of a major root key. The second is the effect that news of Quantum Cryptanalysis may have on confidence in the Web PKI.
The second is going to be a serious concern even if there is no real risk of the first. Each new advance is going to be heralded as threatening RSA regardless of whether it actually does. And this is a technology that is uniquely difficult to predict developments in.
Building a quantum computer is a bit like building a house of cards. The taller you go, the harder it becomes. It is quite possible that there are physical boundaries that limit the size of a quantum computer. Then again it is possible that there are not. We don’t know if the increase in the number of Qbits that can be supported will grow in a linear fashion, an exponential fashion or in the worst case find that there is no limit above a certain point.
It is thus imperative that the industry develop a strategy to address the impending risk of Quantum Cryptanalysis and in particular look at strategies for deploying Quantum Resistant Cryptography (QRC).
Right now, we do not have any public key algorithm that is QR. Symmetric algorithms have their exponential work factors halved. So WF128 becomes a breakable WF64. We need to go to 256 keys for acceptable security.
There is active research on QRC but there isn’t an acceptable public key algorithm right now and even if one is found it is quite possible that patent encumbrances will prevent it being deployed proactively.
What we do have is Lamport Signatures and those are QR but have the severe disadvantage that they can only be used once.
So as a countermeasure, it would behoove us to begin distribution of ‘emergency roots’ that make use of Lamport Signatures. The best way to do this would be to add a pair of SHA2-512 and SHA3-512 digests to each root cert. These would be the fingerprints of a Merkle Tree of Lamport Public Signature keys. That way we would have trust roots predistributed that would allow us to bootstrap a new trust system should that prove necessary.
Browser providers and CAs would both need to deploy the emergency roots. Browser providers would also need to develop strategies for making use of them. They would need to be able to use their own emergency root to validate updates to their code distribution infrastructure.
I think the next steps are to find out what the developments are at IETF in Berlin next week, develop a plan and then find some forum for discussing it that would attract the knowledgable crypto people and PKI people.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160712/0b67a25c/attachment-0001.p7s>
More information about the Public
mailing list