<div dir="ltr">It seems the argument is for RSA as opposed to ECC RSA. It does not address lattice crypto at all. <div><br></div><div>In terms of recommendations, it seems more like a transition proposal towards lattice crypto while we know that there are superior factoring attacks, not a pre/post crypto proposal per se. </div><div><br></div><div>In that, it seems like a good transitional technology with all the caveats applied to transitional solutions. <br><div><br></div><div><br></div><div><span style="font-size:12.8px">Message: 1</span><br style="font-size:12.8px"><span style="font-size:12.8px">Date: Tue, 23 May 2017 20:50:33 +0200</span><br style="font-size:12.8px"><span style="font-size:12.8px">From: Julien Bringer <</span><a href="mailto:julien.bringer@gmail.com" style="font-size:12.8px">julien.bringer@gmail.com</a><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">To: Jerry Leichter <</span><a href="mailto:leichter@lrw.com" style="font-size:12.8px">leichter@lrw.com</a><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">Cc: Cryptography <</span><a href="mailto:cryptography@metzdowd.com" style="font-size:12.8px">cryptography@metzdowd.com</a><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">Subject: Re: [Cryptography] "Post-quantum RSA"</span><br style="font-size:12.8px"><span style="font-size:12.8px">Message-ID:</span><br style="font-size:12.8px"><span style="font-size:12.8px"> <CAALJo_BkDd4u9xLhGpO5EKeWU=</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pfs2oticUg=</span><a href="mailto:tQfx8RViWdiYw@mail.gmail.com" style="font-size:12.8px">tQfx8RViWdiYw@mail.<wbr>gmail.com</a><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">Content-Type: text/plain; charset="utf-8"</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Le 23 mai 2017 3:05 PM, "Jerry Leichter" <</span><a href="mailto:leichter@lrw.com" style="font-size:12.8px">leichter@lrw.com</a><span style="font-size:12.8px">> a écrit :</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">"Abstract: This paper proposes RSA parameters for which (1) key generation,</span><br style="font-size:12.8px"><span style="font-size:12.8px">encryption, decryption, signing, and verification are feasible on today's</span><br style="font-size:12.8px"><span style="font-size:12.8px">computers while (2) all known attacks are infeasible, even assuming highly</span><br style="font-size:12.8px"><span style="font-size:12.8px">scalable quantum computers. As part of the performance analysis, this paper</span><br style="font-size:12.8px"><span style="font-size:12.8px">introduces a new algorithm to generate a batch of primes. As part of the</span><br style="font-size:12.8px"><span style="font-size:12.8px">attack analysis, this paper introduces a new quantum factorization</span><br style="font-size:12.8px"><span style="font-size:12.8px">algorithm that is often much faster than Shor's algorithm and much faster</span><br style="font-size:12.8px"><span style="font-size:12.8px">than pre-quantum factorization algorithms. Initial pqRSA implementation</span><br style="font-size:12.8px"><span style="font-size:12.8px">results are provided."</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">The proposed parameters lives in a curious area somewhere between theory</span><br style="font-size:12.8px"><span style="font-size:12.8px">and practice. It isn't "theory" because it can't exclude the possibility</span><br style="font-size:12.8px"><span style="font-size:12.8px">of incrementally faster quantum algorithms for factoring that would destroy</span><br style="font-size:12.8px"><span style="font-size:12.8px">the tradeoffs. (Then again, the same could be said of traditional</span><br style="font-size:12.8px"><span style="font-size:12.8px">pre-quantum RSA!). On the other hand, it's not really practical because</span><br style="font-size:12.8px"><span style="font-size:12.8px">the recommended key sizes are around a terabyte - and they estimate an</span><br style="font-size:12.8px"><span style="font-size:12.8px">encryption/decryption time of about 5 days.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Still, an interesting exploration of limits.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Oh - the authors include Daniel Bernstein and Nadia Heninger. :-)</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px"> -- Jerry</span><br style="font-size:12.8px"><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Thanks for the pointer. Dan presented an overview at Eurocrypt rump session</span><br style="font-size:12.8px"><span style="font-size:12.8px">earlier this month. I was not sure they will come up with a paper.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">I like the message it conveys: do not focus only on using power of quantum</span><br style="font-size:12.8px"><span style="font-size:12.8px">computers for breaking schemes!</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Julien</span><br style="font-size:12.8px"><span style="font-size:12.8px">-------------- next part --------------</span><br style="font-size:12.8px"><span style="font-size:12.8px">An HTML attachment was scrubbed...</span><br style="font-size:12.8px"><span style="font-size:12.8px">URL: <</span><a href="http://www.metzdowd.com/pipermail/cryptography/attachments/20170523/868fe94d/attachment-0001.html" rel="noreferrer" target="_blank" style="font-size:12.8px">http://www.metzdowd.com/<wbr>pipermail/cryptography/<wbr>attachments/20170523/868fe94d/<wbr>attachment-0001.html</a><span style="font-size:12.8px">></span><br></div><div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr" style="font-size:12.8px">Prof. L. Jean Camp<br><a href="http://www.ljean.com/" target="_blank">http://www.ljean.com</a></div><div dir="ltr" style="font-size:12.8px"><div><br>Make a Difference <br><a href="http://www.ieeeusa.org/policy/govfel/congfel.asp" target="_blank">http://www.ieeeusa.org/policy/govfel/congfel.asp</a></div></div></div></div></div></div></div>
</div></div></div>