Hi, Even if JOSE WG is not included in the recipients, I looked at this LS and TR 103 619 that the LS refer to. In addition to the requested information, I think IETF should send ETSI CYBER comments on TR 103 619 that the LS is based on. My suggestions:
--------------- IETF kindly suggests that ETSI CYBER makes the following updates/corrections in the next revision of TR 103 619: * IETF suggests that ETSI CYBER uses the established term Cryptanalytically Relevant Quantum Computers (CRQCs). It is important that readers understand that there is a huge difference between current quantum computers and CRQCs. * IETF suggests that ETSI CYBER uses another term than “classical cryptography”. Quantum-resistant cryptography like ML-KEM and ML-DSA runs on classical computers and code-based cryptography and hash-based cryptography was invented in the late 1970s. * As ETSI CYBER mentions that Quantum Key Distribution is not vulnerable to attacks from CRQCs, ETSI CYBER should also mention that Quantum Key Distribution is neither a practical nor a secure solution [1-2]. * IETF advice ETSI CYBER to update and correct the information regarding symmetric cryptography. The idea that symmetric cryptography will be practically affected by CRQCs is now seen as a misconception. The “bits of security” concept does not work with algorithms that are not parallelizable and NIST is therefore transitioning to quantum-resistant security levels based on symmetric algorithms where level 1 is equivalent with AES-128, level 2 is SHA-256, etc. [3]. UK government assesses that “symmetric algorithms with at least 128-bit keys (such as AES) can continue to be used” [4]. While classical supercomputers might be able to brute force AES-128 around the year 2090 [5-6], a huge cluster of one billion CRQCs (according to one estimate costing one billion USD each) would take a million years of uninterrupted calculation to find a single AES-128 key. Algorithms with quadratic (𝑛2) speedup like Grover’s algorithm (which is proven to be optimal) will not provide any practical quantum advantage for breaking symmetric cryptography and likely not for any other problems [7-8]. * The name of the X.509 field is “Subject Public Key Info”, not “Subject Key Info”. [1] ANSSI, BSI, Netherlands NCSA, Swedish NCSA, “Position Paper on Quantum Key Distribution” https://cyber.gouv.fr/actualites/uses-and-limits-quantum-key-distribution [2] NSA, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)” https://www.nsa.gov/Cybersecurity/Quantum-Key-Distribution-QKD-and-Quantum-Cryptography-QC/ [3] NIST, “Comments Requested on Three Draft FIPS for Post-Quantum Cryptography” https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography [4] UK NCSC, “Next steps in preparing for post-quantum cryptography” https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography [5] CRYPTEC, ”Cryptographic Technology Evaluation Committee Activity Report” https://www.cryptrec.go.jp/symposium/2023_cryptrec-eval.pdf [6] CRYPTEC, ”Japan CRYPTREC Activities on PQC” https://events.btq.li/Japan_CRYPTREC_Activities_on_PQC_Shiho_Moriai.pdf [7] Hoefler, Häner, Troyer, “Disentangling Hype from Practicality: On Realistically Achieving Quantum Advantage” https://cacm.acm.org/magazines/2023/5/272276-disentangling-hype-from-practicality-on-realistically-achieving-quantum-advantage/fulltext [8] Babbush, McClean, Newman, Gidney, Boixo, Neven, “Focus beyond Quadratic Speedups for Error-Corrected Quantum Advantage” https://arxiv.org/pdf/2011.04149.pdf --------------- Cheers, John Preuß Mattsson
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
