[Cryptography] Key escrow scheme

[Viktor Dukhovni]

> On Apr 6, 2017, at 8:11 AM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> Making such a scheme usable is somewhat tricky because we would want to make the shares used to secure the key to be as small as possible for convenience which indicates 128 bit work factor for the master key. But I would really like to make use of 256 bit AES throughout. This got me thinking about the nature of the work factor requirement with more precision than just 'make it 256 bit WF everywhere. In particular I want
> 
> * A 2^128 WF against brute force attack 
> * A 2^256 WF against related key attacks 
> 
> It seems very probable that any conventional machine attack that is more efficient than brute force is going to be exploiting some form of related key attack. Even with quantum, the efficiency is coming with the ability to test on relations between multiple keys simultaneously.

My impression is that Grover's algorithm has nothing to do with
related keys.  It is a generic QC algorithm for finding which of
N inputs produces a given output in sqrt(N) time.

So if the master secret is 128 bits, recovering it by "brute force"
may take only 2^64 quantum time.  The holder of the key may long
be dead before scalable universal QCs are built, or such QCs may
arrive all too soon.

Perhaps I've misunderstood the descriptions I've read of Grover's
algorithm, but if not, the design probably does not achieve your
goals.  To get 2^128 quantum work-factor for symmetric algorithms
IIRC you unavoidably need a 2^256 key space.

-- 
	Viktor.