[Cryptography] RSA Crypto is officially insecure due to NIST

Dennis E. Hamilton dennis.hamilton at acm.org
Sun Apr 2 12:11:21 EDT 2017



> -----Original Message-----
> From: cryptography [mailto:cryptography-
> bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Hanno Böck
> Sent: Sunday, April 2, 2017 04:14
> To: Tom A. via cryptography <cryptography at metzdowd.com>
> Cc: Tom A. <thomasasta at googlemail.com>
> Subject: Re: [Cryptography] RSA Crypto is officially insecure due to
> NIST
> 
> On Sun, 2 Apr 2017 10:00:02 +0200
> "Tom A. via cryptography" <cryptography at metzdowd.com> wrote:
> 
> > #RSA Crypto is insecure:
> > http://csrc.nist.gov/publications/drafts/nistir-
> 8105/nistir_8105_draft.pdf
> >
[ ... ]

> Alternative encryption schemes being investigated are based on ring
> learning with errors. New Hope and NewHope-Simple [1] are recent
> variants. Other fields of postquantum research are supersingular
> isogenies.
> 
> I agree that messengers should start investigating postquantum crypto,
> but the field is very much in flux and early adopters should be
> prepared to overthrow whatever they've been implementing. For now
> implementing hybrid schemes is a good option.
> 
> If you read the NIST document you linked then you'll notice that NIST
> is only in the phase of starting a standardization effort for pqcrypto.
> Unfortunately we don't have "standard options" for postquantum
> encryption schemes yet that we can easily adopt.
[orcmid] 

I did read the paper and the hyperbole about RSA and anything official from NIST is misplaced.  Basically, all currently-standardized PKI approaches are presumed to become vulnerable as effective quantum cryptanalysis arrives.  Uses of symmetric keys are considered to be bolstered by increase of key sizes (and hash digest sizes).  But current PKI standards hinge on complexity assumptions that are likely to break down given sufficient quantum cryptanalysis power.

There is expected to be considerable time before there will be effective attacks, although NIST carefully points out that changes to alternative schemes can take 20 years or more in practice.

Along with the prospect that alternative PKI schemes might be broken by methods not yet known, the bottom line recommendation is important to appreciate:

   "When standards for quantum-resistant public key cryptography 
    become available, NIST will reassess the imminence of the threat
    of quantum computers to existing standards, and may decide to 
    deprecate or withdraw the affected standards thereafter as a 
    result. Agencies should therefore be prepared to transition 
    away from these algorithms as early as 10 years from now 
    [i.e., 2026].  As the replacements for currently standardized 
    public-key algorithms are not yet ready, a focus on maintaining 
    crypto agility is imperative."

>From time to time, this [Cryptography] list ponders the issues of agility and roll-forward of widely-distributed applications and the implementations bolted into them.  That seems important to investigate more aggressively.

 - Dennis
> 
> [1] https://cryptojedi.org/papers/newhopesimple-20161217.pdf
> --
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: hanno at hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



More information about the cryptography mailing list