[Cryptography] Why Quantum Cryptanalysis is Bollocks

Peter Fairbrother peter at tsto.co.uk
Fri Aug 2 17:59:00 EDT 2024 

On 01/08/2024 04:13, Peter Gutmann wrote:
> I've just posted the draft slides for a talk with the above title, which also
> happens to perfectly summarise its contents, to:
>
> http://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
>
> I'd be interested in any comments/feedback/whatever people might have on this.
>
> Peter.

Hi Peter,

Two and a half points. First, the wording of your Rule #1. "Complexity
is the enemy of security".

I have been using "Larger and more complicated systems have more places
to attack" (as Law 6), but was considering using "A more complex system
has more places to attack, and is harder to understand, securely
implement and debug" instead.

Your version is pithier (and of course shorter), but I don't think
complexity is the only enemy of security (for instance, simply large
size also makes security harder). I'd also like a version which includes
reasons why complexity is bad.

You also talk about churn, so things like timely implementation,
leftover code or settings whose reasons for existence are now unknown
are also issues.

So, any wording suggestions?  Ta.



half a point, why aren't things like TLS, email programs, possibly even
browsers etc set in stone by now? You write one version (like openbsd
but with more resources), and when it seems secure you lock it down
until a hole is found. If you want to add fancy flourishes you add
another layer of code on top of the secure underpinnings. Got to start
with the OS here, but monthly OS patches on Tuesdays?

oooo, monoculture, oooo :(



Second, what we knew and when.

Around 2010 I for one did not think the possibility of cryptographically
useful quantum computers being developed in the next 20-30 years was
highly unlikely. I didn't think it was actually likely, but I couldn't
dismiss the possibility, and as security engineers (all cryptographers
pretty much have to be security engineers, at least a little, these
days) we had and have a duty to take measures to protect our users, even
against unlikely threats.

As the possibly-imminent development of a cryptographically useful
quantum computer has receded into the farther reaches of time the
urgency to develop countermeasures has decreased, but the momentum of
the early efforts - mostly the NIST post quantum competition - endures
beyond its initial perceived immediate need.

So, I think you are a little hard on the PQC people. But only a little...


Peter Fairbrother

More information about the cryptography mailing list