Re: Quantum Crypto redux Re: Boston Linux Meeting ... Crypto News, plus ...

2018-09-21 Thread Joshua Judson Rosen 
On 09/19/2018 10:33 PM, Bill Ricker wrote:
> QuBits aren't QUITE on the Moore's Law 18-month doubling cycle yet; my 
> back-of-the-envelope shows going from 7 QuBits to 72 QuBits in 16 years is 
> doubling in 28 months.  Which is kinda close to Moore's law for RAM (24 
> months)...
> How soon the engineering will allow a growth spurt is unclear.
> 
> So setting my ED25519 key expiration at 10 years was just about right, :-) 
> that's just exactly when it should be doable commercially :-).
> A little shorter would have been more conservative!

Hmm. My understanding of key-expiries has been more that they're useful as a 
sort of
dead-man switch (since you can always publish *changes* to the expiration-dates
as long as you have still are capable of accessing and making use of the 
private key,
and haven't published a revocation); to help balance concerns about
things like long-term management of secrecy
(however low your likelihood of compromise is over the course of a year,
 if it's non-zero then it compounds over multiple years/decades--and larger 
probabilities
 compound more quickly; this is he concern that Schneier quoted from Filippo 
Valsorda
 a couple years ago, form example 
);
or what what happens to your key's validity after it becomes inaccessible to/by 
you
(for example if you become incapacitated or die unexpectedly...); or,
more generally, to establish key-migration timeframes.

To *those ends*, a 10-year expiry period is kind of crazy-sounding--especially 
if
you take a position like "my modern smartphone is the most easily-compromised 
keystore,
because someone could easily mug me for or I could fumble it into someplace 
where
I can't retrieve it before someone else has the opportunity; and my password
probably won't guard it for *that* long..., so maybe I should be giving the 
smartphone
short-lived subkeys on the order of 1 month or even less".

-- 
Connect with me on the GNU social network: 

Not on the network? Ask me for an invitation to a social hub!
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Quantum Crypto redux Re: Boston Linux Meeting ... Crypto News, plus ...

2018-09-19 Thread Bill Ricker 
Elliott is correct that ECC including Curve25519 as well as NIST P-* curves
are more affected  by QC (Shor's) than RSA ... in part because our
classical factoring technology had such a head start, has gotten so good,
that RSA keys have gotten huge, but discrete log remained hard, so ECC
remains small(er)-data, so a classically recommended-keysize problem fits
in fewer QuBits.

Having a 20x safety factor on announced QuBits today is fine for commercial
attack safety today, but for how much longer?
(The good news is AES and hashes only need to double in size to resist
Grover's algorithm in Quantum, they say. )

Partial retraction -- the D-Wave machines with ridiculous numbers of QuBits
are Quantum Annealers, not general purpose Quantum Computers. (It did seem
obvious there was something different about them, from the interleaved
series of records of different orders of magnitude. Now I know what!)
Annealers are good for some kinds of non-linear search problems, but the
two Quantum Computing algorithms known to theoretically plague
public-key/asymmetric and private-key/symmetric  cryptography, Shor's and
Grover's  respectively, are not among the Simulated Annealing algorithms.
So $15M for 2kQuBit D-Wave isn't yet scary for crypto even though
Curve25519  can be solved by < 1600 QuBits in theory, because the (open)
record for the general QC logic machine remains at 72 QuBits, a safety
factor of 20.

QuBits aren't QUITE on the Moore's Law 18-month doubling cycle yet; my
back-of-the-envelope shows going from 7 QuBits to 72 QuBits in 16 years is
doubling in 28 months.  Which is kinda close to Moore's law for RAM (24
months)...
How soon the engineering will allow a growth spurt is unclear.

So setting my ED25519 key expiration at 10 years was just about right, :-)
that's just exactly when it should be doable commercially :-).
A little shorter would have been more conservative!

(I do wonder if D-Wave could be used for Hill-Climbing attack on some
classic crypto problems e.g. Wheatstone/Playfair, but wouldn't be cost
effective there. :-)  )
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/