You'll note they don't actually specify any asymmetric quantum-resistant algorithms. I'd guess if they did, NTRU or a derivative would be one they'd consider first: Security Innovation were trying to sell them that at about the same time Certicom were pushing elliptic curves. (I'm not as convinced about ideal lattices, but that's an artifact of my not being as familiar with the field.)
Pre-shared keys, as they suggest there, have no forward secrecy - which makes them great for those who really like stealing, say, IPsec keys… like the NSA. It may work with the kind of old military key infrastructure they and GCHQ have, that regularly distributes random keys from centralised, organisationally-trusted sources on specialised hardware; it is a terrible recommendation for civilians.
Interesting that they're still married to P-384 (probably the most annoying curve to implement correctly). Properly-implemented Ed448-Goldilocks is safer, and that's what CFRG are going with for the "paranoid" level.
> You'll note they don't actually specify any asymmetric quantum-resistant algorithms. I'd guess if they did, NTRU or a derivative would be one they'd consider first...
My bet would be on McEliece. It's been around longer, so has been subjected to more rigorous cryptanalysis than NTRU, and is not patented.
I have next to zero understanding of how quantum computers are supposed to work. Does anyone have something like an intro into QC "for dummies"? I want to grasp this subject.
"For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition."
Wait, do working quantum computers actually exist today? D-Wave is the one I heard about, but the wiki page says it's no faster than ordinary computers and not even sure it works as advertised.
This is hard to answer because many quantum algorithms useful for cryptanalysis have probably not been discovered yet. See, for example, the debacle surrounding Soliloquoy [1], an algorithm that despite being based on the hardness of lattice reduction has a fast quantum algorithm.
Anyway, a quantum-resistant algorithm is usually meant to be one that resists the exponential speedup given by Shor's algorithm and its variants. In other words, a quantum-resistant algorithm can't be based on the hardness of integer factorization, discrete logarithms on any abelian group, class groups, and so on (i.e. all instances of the Abelian hidden subgroup problem).
The leading candidates for such hard problems are decoding a random linear code (McEliece), shortest/closest vector finding in a lattice (NTRU, GGH, [R]LWE, ...), multivariate equation system solving (HFE and friends), and in the specific case of digital signatures one-way functions (Merkle Tree signatures).
Maybe it's reverse psychology -- they've got quantum cryptanalysis, and the surest way to keep us all vulnerable is them telling us we should upgrade. ;)
I hope nobody here is actually considering using the proposed NSA algorithms - right?
The NSA today is a very different beast from the pre-2000 one. The focus seems to have drastically changed from securing stuff to mostly introducing vulnerabilities in stuff.
However, in reviewing the actual recommendations, if you trusted RSA 2048 before, it would be hard to argue the NSA has now backdoored RSA 3072 as a part of recommending it.
This comment (along with many of this author's other comments) seems to take a form which strongly reminds me of the output of SCIgen[1] and I wonder if anyone more versed in quantum cryptography or any related fields of mathematics can make more sense of it than I can.
I could, of course, be unfairly interpreting the unusually simple [2] grammatical structures as being computer generated rather than as an artifact of not being a native English speaker. If that is the case, I do apologize and hope that I have not caused any offence.
[+] [-] AlyssaRowan|10 years ago|reply
Pre-shared keys, as they suggest there, have no forward secrecy - which makes them great for those who really like stealing, say, IPsec keys… like the NSA. It may work with the kind of old military key infrastructure they and GCHQ have, that regularly distributes random keys from centralised, organisationally-trusted sources on specialised hardware; it is a terrible recommendation for civilians.
Interesting that they're still married to P-384 (probably the most annoying curve to implement correctly). Properly-implemented Ed448-Goldilocks is safer, and that's what CFRG are going with for the "paranoid" level.
[+] [-] jackgavigan|10 years ago|reply
My bet would be on McEliece. It's been around longer, so has been subjected to more rigorous cryptanalysis than NTRU, and is not patented.
[+] [-] eeZi|10 years ago|reply
[+] [-] wolf550e|10 years ago|reply
[+] [-] tlack|10 years ago|reply
[+] [-] palsecam|10 years ago|reply
Also https://speakerdeck.com/veorq/quantum-computers-vs-computers... (slides 25-30)
[+] [-] robotkilla|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] Bluerise|10 years ago|reply
[+] [-] tway|10 years ago|reply
[+] [-] wfunction|10 years ago|reply
[+] [-] cabirum|10 years ago|reply
[+] [-] jackgavigan|10 years ago|reply
A team at UCSB built a prototype quantum computer that successfully factored 15 a few years back: http://www.nature.com/nphys/journal/v8/n10/full/nphys2385.ht...
[+] [-] marcosdumay|10 years ago|reply
Anyway, they are still far from being practical, but do exist.
[+] [-] jokoon|10 years ago|reply
[+] [-] maaku|10 years ago|reply
[+] [-] biot|10 years ago|reply
[+] [-] pbsd|10 years ago|reply
Anyway, a quantum-resistant algorithm is usually meant to be one that resists the exponential speedup given by Shor's algorithm and its variants. In other words, a quantum-resistant algorithm can't be based on the hardness of integer factorization, discrete logarithms on any abelian group, class groups, and so on (i.e. all instances of the Abelian hidden subgroup problem).
The leading candidates for such hard problems are decoding a random linear code (McEliece), shortest/closest vector finding in a lattice (NTRU, GGH, [R]LWE, ...), multivariate equation system solving (HFE and friends), and in the specific case of digital signatures one-way functions (Merkle Tree signatures).
[1] http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Syste...
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] aburan28|10 years ago|reply
[+] [-] givan|10 years ago|reply
[+] [-] akvadrako|10 years ago|reply
[+] [-] Taniwha|10 years ago|reply
[+] [-] scintill76|10 years ago|reply
[+] [-] Spooky23|10 years ago|reply
[+] [-] titanomachy|10 years ago|reply
[+] [-] mtgx|10 years ago|reply
The NSA today is a very different beast from the pre-2000 one. The focus seems to have drastically changed from securing stuff to mostly introducing vulnerabilities in stuff.
[+] [-] technion|10 years ago|reply
However, in reviewing the actual recommendations, if you trusted RSA 2048 before, it would be hard to argue the NSA has now backdoored RSA 3072 as a part of recommending it.
[+] [-] williamjennings|10 years ago|reply
[deleted]
[+] [-] newsdotyc-ta|10 years ago|reply
I could, of course, be unfairly interpreting the unusually simple [2] grammatical structures as being computer generated rather than as an artifact of not being a native English speaker. If that is the case, I do apologize and hope that I have not caused any offence.
[1] http://pdos.csail.mit.edu/scigen/ [2] Simple structures relative to the complexity of the topic(s)
[+] [-] dang|10 years ago|reply
[+] [-] sobkas|10 years ago|reply