-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wishlist: Post-Quantum Cryptography #461
Comments
What about hash-based signatures?
If I were to work on such a codebase, what would the preference be for integration into LTC? Or something else? Suggestions/direction being solicited. Thanks. |
@dmwheel1 @sjaeckel I think the priorities are : complete cryptosystems with low footprint > complete cryptosystems with high footprints > pure signature schemes, also those who are being standardized > those made by others |
@DonaldTsang XMSS and LMS actually ARE part of the NIST PQC set, but are not experimental, so they do not fall into the Round Two set - their security is not in question, since they are based on solid cryptographic techniques going back to the mid-1970's. See https://csrc.nist.gov/Projects/stateful-hash-based-signatures/news and the draft standard here https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208-draft.pdf BTW, one of my team members is working on BIKE and Classic McEliece, so a future contribution in this area would be possible. |
@dmwheel1 in that case are there any documents that give info into which current cryptographic algorithms is based on what other algorithms/principles? Good to have BIKE people here tho. |
@DonaldTsang I am not aware of a specific documentation that lists the relations among the PQC candidates, though I have seen some categorizations in various papers and presentations. My comment regarding SPINCS+ is based on my personal analysis reading the HBS academic papers and standards. |
I think it makes sense to go with standardized solutions for now instead of spending effort on proposals. If it doesn't have an RFC or other freely available specification (i.e. IETF, NIST or some other standards body published it) it doesn't make sense to be included IMO. Regarding the integration, I like the proposal of going with b) and putting them in If we'll ever go and add "draft" algorithms (which I doubt since the issue with #256) I'd propose to add new |
The problem is that nothing Post-Quantum related are standardized yet, all the citations made are proposals that are so close of being standardized. |
@DonaldTsang Respectfully, I believe you are mistaken regarding HBS algorithms not being standardized (or we have different views of that definition). Both XMSS and LMS are published standards out of the IETF Crypto Research Group (link above). NIST has published their DRAFT standard and the public comment period is over (link above), meaning that publication of the final standard is imminent (definition of imminent with a government involved and in these COVID-19 challenging times is up for debate ;-) ). If NIST publishes their specification, would that meet your definition of a standardized algorithm, or would you look for other criteria? |
They have an RFC -- yes I'm aware the RFC's are only informational and from the IRTF/CFRG, not IETF -- but I call this usually standardized. Or am I wrong there? |
The CFRG (Crypto Forum Research Group) - the crypto group at IETF - only publishes informational RFCs. Until I started regularly attending IETF meetings, I was unaware of this fact. The CFRG actually is organized in the research side of the group (the IRTF) not the engineering side (the IETF). |
OpenSSH ships with a post quantum algorithm enabled by default. OpenSSH 9.0/9.0p1 (2022-04-08)
|
SIDH/SIKE are proven "insecurable" & the authors have posted such @ NIST. Could the top post be updated? |
You should put implementing RSA in larger key sizes on your list. RSA in key sizes supported by OpenSSH (16384-bit) is a great practical post-quantum algorithm in the exact same way it is a great algorithm today. It works today because no practical computer can be built to factor it. It works post-quantum because in order for Shore's algorithm to work on a 16384-bit key, you need a quantum computer with a quantum gate count into the billions. In short, no practical quamtum computer on the conceivable horizon can make one. To factor a prime number with Shores, you need somewhere between O(n^2 * log(n)) (the number of gates for the quantum Fourier transform) and O(n^3) (overall complexity) gates. This makes good old RSA with key sizes on the upper-end of what is already commonly available a good choice for quantum resistance since it requires a gate count far in excess of what is likely on the horizon in a time frame equal to classical computer factoring capabilities growth. tl;dr Please support RSA key sizes up to and including the 16384-bit sizes that most SSH implementations support. |
We don't limit RSA key sizes, i.e. you're limited by what your math provider and your hardware constraints allow. If you use ltm or GMP your limit is "the sky"^TM, tfm in default config is indeed limited to RSA 2048, but you could also compile it with RSA16384 support (which will most likely cause some stack overflows if you aren't careful :) ). C.f. e.g. https://github.com/libtom/libtomcrypt/blob/develop/tests/rsa/rsa_size_16384_bits.der which is used here Line 477 in e0d90c5
If you find out that this is not true or something doesn't work as expected, feel free to open an issue! This would be a bug. |
libtomcrypt/src/math/rand_prime.c
So it will use, but not generate RSA16384 keys? |
Indeed that looks like there's a limit that we will only generate up to Also as mentioned above: please open a separate issue (or you're also free to provide a PR fixing this :) ). |
@levitte asked for it, so I had a deeper look and did some numbers and I now believe that my statement was wrong for most use cases. Please check libtom/tomsfastmath#32 (comment) for details. |
Proven insecure and therefore removed from the list
SIDH https://github.com/Microsoft/PQCrypto-SIDH and https://github.com/sidh-crypto/sidh-c-reference and https://github.com/tigusoft/libsidhms, c.f. Wishlist: Post-Quantum Cryptography #461 (comment)The text was updated successfully, but these errors were encountered: