> -----Original Message----- > From: Valery Smyslov [mailto:sva...@gmail.com] > Sent: Thursday, August 11, 2016 2:13 AM > To: Paul Hoffman; Scott Fluhrer (sfluhrer) > Cc: ipsec@ietf.org > Subject: Re: [IPsec] I-D Action: draft-fluhrer-qr-ikev2-02.txt > > Hi, > > >> On the other hand, we need to give people some guidance somehow... > > > > Do we? Who is "we"? Why is "our" guidance any better than what they > > get from their own experts, particularly if "our" guidance gets > > ossified in an IANA registry or RFCs that are updated slowly? > > Instead of listing QR-secure (or insecure) symmetric algorithms it's probably > better to give some generic advice of selecting symmetric crypto in presense > of Quantum Computers. > > For example (I stole the text from http://www.pqcrypto.eu.org/docs/initial- > recommendations.pdf): > > Symmetric systems are usually not affected by Shor's algorithm, but they are > affected by Grover's algorithm. Under Grover's attack, the best security a > key of length n can offer is 2^(n/2), so AES-128 offers only 2^64 post- > quantum security. This document recommends using algorithms with 256-bit > keys to achieve 2^128 post-quantum security.
I'll steal this text in the next version (along with a note that, while the PRFs PRF_AES128_XCBC and PRF_AES128_CMAC do accept keys larger than 128 bits, they internally convert them to 128 bit values, and hence should be considered as 128 bit algorithms). > > >> There's no known Quantum attack against either (assuming long keys), > >> and so they're in the same category as AES-256. > > > > That would be better stated as "There's currently no known..." > > Exactly. > > > --Paul Hoffman > > Regards, > Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
