idnits 2.17.1 draft-hoffman-c2pq-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 14, 2017) is 2419 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft ICANN 4 Intended status: Informational August 14, 2017 5 Expires: February 15, 2018 7 The Transition from Classical to Post-Quantum Cryptography 8 draft-hoffman-c2pq-02 10 Abstract 12 Quantum computing is the study of computers that use quantum features 13 in calculations. For over 20 years, it has been known that if very 14 large, specialized quantum computers could be built, they could have 15 a devastating effect on asymmetric classical cryptographic algorithms 16 such as RSA and elliptic curve signatures and key exchange, as well 17 as (but in smaller scale) on symmetric cryptographic algorithms such 18 as block ciphers, MACs, and hash functions. There has already been a 19 great deal of study on how to create algorithms that will resist 20 large, specialized quantum computers, but so far, the properties of 21 those algorithms make them onerous to adopt before they are needed. 23 Small quantum computers are being built today, but it is still far 24 from clear when large, specialized quantum computers will be built 25 that can recover private or secret keys in classical algorithms at 26 the key sizes commonly used today. It is important to be able to 27 predict when large, specialized quantum computers usable for 28 cryptanalysis will be possible so that organization can change to 29 post-quantum cryptographic algorithms well before they are needed. 31 This document describes quantum computing, how it might be used to 32 attack classical cryptographic algorithms, and possibly how to 33 predict when large, specialized quantum computers will become 34 feasible. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on February 15, 2018. 53 Copyright Notice 55 Copyright (c) 2017 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 71 1.1. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . 3 72 1.2. Executive Summary . . . . . . . . . . . . . . . . . . . . 3 73 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 74 1.4. Not Covered: Post-Quantum Cryptographic Algorithms . . . 5 75 1.5. Not Covered: Quantum Cryptography . . . . . . . . . . . . 5 76 1.6. Where to Read More . . . . . . . . . . . . . . . . . . . 5 77 2. Brief Introduction to Quantum Computers . . . . . . . . . . . 6 78 2.1. Quantum Computers that Recover Cryptographic Keys . . . . 7 79 3. Physical Designs for Quantum Computers . . . . . . . . . . . 7 80 3.1. Qubits, Error Detection, and Error Correction . . . . . . 8 81 3.2. Promising Physical Designs for Quantum Computers . . . . 8 82 3.3. Challenges for Physical Designs . . . . . . . . . . . . . 8 83 4. Quantum Computers and Public Key Cryptography . . . . . . . . 9 84 4.1. Explanation of Shor's Algorithm . . . . . . . . . . . . . 10 85 4.2. Properties of Large, Specialized Quantum Computers Needed 86 for Recovering RSA Public Keys . . . . . . . . . . . . . 10 87 5. Quantum Computers and Symmetric Key Cryptography . . . . . . 10 88 5.1. Explanation of Grover's Algorithm . . . . . . . . . . . . 11 89 5.2. Properties of Large, Specialized Quantum Computers Needed 90 for Recovering Symmetric Keys . . . . . . . . . . . . . . 11 91 5.3. Properties of Large, Specialized Quantum Computers for 92 Computing Hash Collisions . . . . . . . . . . . . . . . . 12 93 6. Predicting When Useful Cryptographic Attacks Will Be Feasible 12 94 6.1. Proposal: Public Measurements of Various Quantum 95 Technologies . . . . . . . . . . . . . . . . . . . . . . 13 97 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 98 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 99 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 100 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 101 10.1. Normative References . . . . . . . . . . . . . . . . . . 14 102 10.2. Informative References . . . . . . . . . . . . . . . . . 15 103 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 105 1. Introduction 107 Early drafts of this document use "@@@@@" to indicate where the 108 editor particularly want input from reviewers. The editor welcomes 109 all types of review, but the areas marked with "@@@@@" are in the 110 most noticeable need of new material. (The editor particularly 111 appreciates new material that comes with references that can be 112 included in this document as well.) 114 1.1. Disclaimer 116 **** This is an early version of this draft. **** As such, it has had 117 little in-depth review in the cryptography community. Statements in 118 this document might be wrong; given that the entire document is about 119 cryptography, those wrong statements might have significant security 120 problems associated with them. 122 Readers of this document should not rely on any statements in this 123 version of this draft. As the draft gets more input from the 124 cryptography community over time, this disclaimer will be softened 125 and eventually eliminated. 127 1.2. Executive Summary 129 The development of quantum computers that can recover private or 130 secret keys in classical algorithms at the key sizes commonly used 131 today is at a very early stage. None of the published examples of 132 such quantum computers is useful in recovering keys that are in use 133 today. There is a great amount of interest in this development, and 134 researchers expect large strides in this development in the coming 135 decade. 137 There is active research in standardizing signing and key exchange 138 algorithms that will withstand attacks from large, specialized 139 quantum computers. However, all those algorithms to date have very 140 large keys, very large signatures, or both. Thus, there is a large 141 sustained cost in using those algorithms. Similarly, there is a 142 large cost in being surprised about when quantum computers can cause 143 damage to current cryptographic keys and signatures. 145 Because the world does not know when large, specialized quantum 146 computers that can recover cryptographic keys will be available, 147 organizations should be watching this area so that they have plenty 148 of time to either change to larger key sizes for classical 149 cryptography or to change to post-quantum algorithms. See Section 6 150 for a fuller discussion of determining how to predict when quantum 151 computers that can harm current cryptography might become feasible. 153 1.3. Terminology 155 The term "classical cryptography" is used to indicate the 156 cryptographic algorithms that are in common use today. In 157 particular, signature and key exchange algorithms that are based on 158 the difficulty of factoring numbers into two large prime numbers, or 159 are based on the difficulty of determining the discrete log of a 160 large composite number, are considered classical cryptography. 162 The term "post-quantum cryptography" refers to the invention and 163 study of cryptographic mechanisms in which the security does not rely 164 on computationally hard problems that can be efficiently solved on 165 quantum computers. This excludes systems whose security relies on 166 factoring numbers, or the difficulty of determining the discrete log 167 of one group element with respect to another. 169 Note that these definitions apply to only one aspect of quantum 170 computing as it relates to cryptography. It is expected that quantum 171 computing will also be able to be used against symmetric key 172 cryptography to make it possible to search for a secret symmetric key 173 using far fewer operations than are needed using classical computers 174 (see Section 5 for more detail). However, using longer keys to 175 thwart that possibility is not normally called "post-quantum 176 cryptography". 178 There are many terms that are only used in the field of quantum 179 computing, such as "qubit", "quantum algorithm", and so on. Chapter 180 1 of [NielsenChuang] has good definitions of such terms. 182 Some papers discussing quantum computers and cryptanalysis say that 183 large, specialized quantum computers "break" algorithms in classical 184 cryptography. This paper does not use that terminology because the 185 algorithms' strength will be reduced when large, specialized quantum 186 computers exist, but not to the point where there is an immediate 187 need to change algorithms. 189 The "^" symbol is used to indicate "the power of". The term "log" 190 always means "logarithm base 2". 192 1.4. Not Covered: Post-Quantum Cryptographic Algorithms 194 This document discusses when an organization would want to consider 195 using post-quantum cryptographic algorithms, but definitely does not 196 delve into which of those algorithms would be best to use. Post- 197 quantum cryptography is an active field of research; in fact, it is 198 much more active than the study of when we might want to transition 199 from classical to post-quantum cryptography. 201 Readers interested in post-quantum cryptographic algorithms will have 202 no problem finding many articles proposing such algorithms, comparing 203 the many current proposals, and so on. An excellent starting point 204 is the web site . The Open Quantum Safe (OQS) 205 project is developing and prototyping 206 quantum-resistant cryptography. Another is the article on post- 207 quantum cryptography at Wikipedia: . 210 Various organizations are working on standardizing the algorithms for 211 post-quantum cryptography. For example, the US National Institute of 212 Standards and Technology (commonly just called "NIST") is holding a 213 competition to evaluate post-quantum cryptographic algorithms. 214 NIST's description of that effort is currently at 215 . Until 216 recently, ETSI (the European Telecommunications Standards Institute) 217 had a Quantum-Safe Cryptography (QSC) Industry Specification Group 218 (ISG) that worked on specifying post-quantum algorithms; see 219 for results from this work. 222 1.5. Not Covered: Quantum Cryptography 224 Other than in this section, this document does not cover "quantum 225 cryptography". The field of quantum cryptography uses quantum 226 effects in order to secure communication between users. Quantum 227 cryptography is not related to cryptanalysis. The best known and 228 extensively studied example of quantum cryptography is a quantum key 229 exchange, where users can share a secret key while preventing an 230 eavesdropper from obtaining the key. 232 1.6. Where to Read More 234 There are many reasonably accessible articles on Wikipedia, notably 235 the overview article at and the timeline of quantum computing developments 237 at . 239 [NielsenChuang] is a well-regarded college textbook on quantum 240 computers. Prerequisites for understanding the book include linear 241 algebra and some quantum physics; however, even without those, a 242 reader can probably get value from the introductory material in the 243 book. 245 [Turing50Youtube] is a good overview of the near-term and longer-term 246 prospects for designing and building quantum computers; it is a video 247 of a panel discussion by quantum hardware and software experts given 248 at the ACM's Turing 50 lecture. 250 @@@@@ Maybe add more references that might be useful to non-experts. 252 2. Brief Introduction to Quantum Computers 254 A quantum computer is a computer that uses quantum bits (qubits) in 255 quantum circuits to perform calculations. Quantum computers also use 256 classical bits and regular circuits: most calculations in a quantum 257 computer are a mix of classical and quantum bits and circuits. For 258 example, classical bits could be used for error correction or 259 controlling the behavior of physical components of the quantum 260 computer. 262 A basic principle that makes it possible to speed up calculations on 263 qubits in quantum computers is quantum superposition. Informally, 264 similarly to waves in classical physics, arbitrary number of quantum 265 states can be added together and result will be another valid quantum 266 state. That means that, for example, two qubits could be in any 267 quantum superposition of four states, three qubits in quantum 268 superposition of eight states, and so on. Generally n qubits can be 269 in quantum superposition of 2^n states. 271 The main challenge for quantum computing is to create and maintain a 272 significantly large number of superposed qubits while performing 273 quantum computations. Physical components of quantum computers that 274 are non-ideal results in the destruction of qubit state over time; 275 this is the source of errors in quantum computation. See Section 3.1 276 for a description of how to overcome this problem. 278 A good description of different aspects of calculations on quantum 279 computer could be found in [EstimatingPreimage]. 281 A separate question is a measurement of a quantum state. Due to 282 uncertainty of the state, the measurement process is stochastic. 283 That means that in order to get the correct measurement one should 284 run several consequent calculations and corresponding measurement in 285 order to the expected value which is considered as a result of 286 measurement. 288 @@@@@ Discuss measurements and how they have to be done with 289 correlated qubits. 291 2.1. Quantum Computers that Recover Cryptographic Keys 293 Quantum computers are expected to be useful in the future for some 294 problems that take up too many resources on a large classical 295 computer. However, this document only discusses how they might 296 recover cryptographic keys faster than classical computers. In order 297 to recover cryptographic keys, a quantum computer needs to have a 298 quantum circuit specifically designed for the type of key it is 299 attempting to recover. 301 A quantum computer will need to have a circuit with thousands of 302 qubits to be useful to recover the type and size keys that are in 303 common use today. Smaller quantum computers (those with fewer qubits 304 in superposition) are not useful for using Shor's algorithm (as 305 discussed in Section 4.1) at all. That is, no one has devised a way 306 to combine a bunch of smaller quantum computers to perform the same 307 attacks on cryptographic keys via Shor's algorithm as a properly- 308 sized quantum computer. 310 This is why this document uses the term "large, specialized quantum 311 computer" when describing ones that can recover keys: there will 312 certainly be small quantum computers built first, but those computers 313 cannot recover the type and size keys that are in common use today. 314 Further, there are already quantum computers that have many qubits 315 but without the circuits needed to make those qubits useful for 316 recovering cryptographic keys. 318 A straight-forward application of Shor's algorithm may not be the 319 only way for large, specialized quantum computers to attack RSA keys. 320 [LowResource] describes how to combine quantum computers with 321 classical methods for recovering RSA keys at speeds faster than just 322 using the classical methods. 324 3. Physical Designs for Quantum Computers 326 Quantum computers can be built using many different physical 327 technologies. Deciding which physical technologies are best to 328 pursue is an extremely active research topic. A few physical 329 technologies (particularly trapped ions, super-conduction using 330 Josephson junctions, and nuclear magnetic resonance) are currently 331 getting the most press, but other technologies are also showing 332 promise. 334 One factor that is important to quantum computers that can be used 335 for cryptanalysis is the speed of the operations (transformations) on 336 qubits. Most of the estimates of speeds of these quantum computers 337 assume that qubit operations will take about the same amount of time 338 as operations in circuits that consist of classical gates and 339 classical memory. Current quantum circuits are slower than classical 340 circuits, but will certainly become faster as quantum computers are 341 developed in the future. 343 Note that some current quantum computer research uses bits that are 344 not fully entangled, and this will greatly affect their ability to 345 make useful quantum calculations. 347 3.1. Qubits, Error Detection, and Error Correction 349 Researchers building small quantum computers have discovered that 350 calculating the superposition of qubits often has a large rate of 351 error, and that error rate increases rapidly over time. Performing 352 quantum calculations such as those needed to recover cryptographic 353 keys is not feasible with the current state of quantum computers. 355 In the future, actual quantum calculations will be performed on 356 "logical qubits", that is, after the application of error correction 357 codes on physical qubits. Thus, the number of physical qubits will 358 be higher than the number of logical qubits, depending on the 359 parameters of the error correction code, which in turn depends on the 360 parameters of a technology used for a physical implementation of 361 qubits. Currently, it is estimated that it takes hundreds or 362 thousands of physical qubits to make a logical qubit. @@@@@ Need 363 reference for this statement. 365 @@@@@ Lots more material should go here. We will need recent 366 references for how many physical qubits are needed for each corrected 367 qubit. It's OK if this section has lots of references, but hopefully 368 they don't contradict each other. 370 3.2. Promising Physical Designs for Quantum Computers 372 @@@@@ It would be useful to have maybe two paragraphs about each 373 physical design that is being actively pursued. 375 3.3. Challenges for Physical Designs 377 Different designs have different challenges to overcome before the 378 physical technology can be scaled enough to build a useful large, 379 specialized quantum computer. Some of those challenges include the 380 following. (Note that some items on this list apply only to some of 381 the physical technologies.) 382 Temperature: Getting stable operation without extreme cooling is 383 difficult for many of the proposed technologies. The definition 384 of "extreme" is different for different low-temperature 385 technologies. 387 Stabilization: The length of time every qubit in a circuit holds is 388 value 390 Quantum control: Coherence and reproducibility of qubits 392 Error detection and correction: Getting accurate results through 393 simultaneous detection of bit-flip and phase-flip. See 394 Section 3.1 for a longer description of this. 396 Substrate: The material on which the qubit circuits are built. This 397 has a large effect on the stability of the qubits. 399 Particles: The atoms or sub-atomic particles used to make the qubits 401 Scalability: The ability to handle the number of physical qubits 402 needed for the desired the circuit 404 Architecture: Ability to change quantum gates in a circuit 406 4. Quantum Computers and Public Key Cryptography 408 The area of quantum computing that has generated the most interest in 409 the cryptographic community is the ability of quantum computers to 410 find the private keys in encryption and signature algorithms based on 411 discrete logarithms using exponentially fewer operations than 412 classical computers would need to use. 414 As described in [RFC3766], it is widely believed that factoring large 415 numbers and finding discrete logs using classical computers increases 416 with the exponential size of the key. [RFC3766] describes in detail 417 how classical computers can be used to determine keys; even though 418 that RFC is over a decade old, no significant changes have been made 419 to the process of classical attacks on RSA and Diffie-Hellman. @@@@@ 420 CFRG: is that true? Does RFC 3766 need to be updated? 422 Shor's algorithm shows that these problems can be solved on quantum 423 computers in polynomial time, meaning that the speed of finding the 424 keys is a polynomial function (with reasonable-sized coefficients) 425 based on the size of the keys, which would require significantly 426 fewer steps than a classical computer. The definitive paper on 427 Shor's algorithm is [Shor97]. 429 4.1. Explanation of Shor's Algorithm 431 @@@@@ Pointers to understandable articles would be good here. 433 @@@@@ Describe period-finding and why it applies to finding prime 434 factors and discrete logs. 436 @@@@@ Give the steps for applying Shor's algorithm to 2048-bit RSA. 437 Describe how many rounds of the quantum subroutine would likely be 438 needed. Describe how many rounds of the classical loop would likely 439 be needed. 441 [ResourceElliptic] gives concrete estimates of the resources needed 442 to build a quantum computer to compute elliptic curve discrete 443 logarithms. It shows that for the common P-256 elliptic curve, 2330 444 logical qubits and over 10^11 Toffoli gates. 446 4.2. Properties of Large, Specialized Quantum Computers Needed for 447 Recovering RSA Public Keys 449 Researchers have built small quantum computers that implement Shor's 450 algorithm, factoring numbers with four or five bits. These are used 451 to show that Shor's algorithm is possible to realize in actual 452 hardware. (Note, however, that [PretendingFactor] indicates that 453 these experiments may have taken shortcuts that prevent them from 454 indicating real Shor designs.) 456 @@@@@ References are needed here. Did they implement all of Shor's 457 algorithm, including the looping logic in the classical part and the 458 looping logic in the quantum part? 460 @@@@@ Numbers and explanation is needed below: 462 A quantum computer that can determine the private keys for 2048-bit 463 RSA would require SOME NUMBER GOES HERE correlated qubits and SOME 464 NUMBER GOES HERE circuit elements. A quantum computer that can 465 determine the private keys for 256-bt elliptic curves would require 466 SOME NUMBER GOES HERE correlated qubits and SOME NUMBER GOES HERE 467 circuit elements. 469 5. Quantum Computers and Symmetric Key Cryptography 471 Section 4 is about Shor's algorithm and compromises to public key 472 cryptography. There is a second quantum computing algorithm, 473 Grover's algorithm, that is often mentioned at the same time as 474 Shor's algorithm. With respect to cryptanalysis, however, Grover's 475 algorithm applies to tasks of finding a preimage, including tasks of 476 finding a secret key of a symmetric algorithm such as AES if there is 477 knowledge of plaintext-ciphertext pairs. The definitive paper on 478 Grover's algorithm is by Grover: [Grover96]. Grover later wrote a 479 more accessible paper about the algorithm in [QuantumSearch]. 481 Grover's algorithm gives a way to search for keys to symmetric 482 algorithms in the square root of the time that a normal exhaustive 483 search would take. Thus, a large, specialized quantum computer that 484 implements Grover's algorithm could find a secret AES-128 key in 485 about 2^64 steps instead of the 2^128 steps that would be required 486 for a classical computer. 488 When it appears that it is feasible to build a large, specialized 489 quantum computer that can defeat a particular symmetric algorithm at 490 a particular key size, the proper response would be to use keys with 491 twice as many bits. That is, if one is using the AES-128 algorithm 492 and there is a concern that an adversary might be able to build a 493 large, specialized quantum computer that is designed to attack 494 AES-128 keys, move to an algorithm that has keys twice as long as 495 AES-128, namely AES-256 (the block size used is not significant 496 here). 498 It is currently expected that large, specialized quantum computers 499 that implement Grover's algorithm are expected to be built long 500 before ones that implement Shor's algorithm are. There are two 501 primary reasons for this: 503 o Grover's algorithm is likely to be useful in areas other than 504 cryptography. For example, a large, specialized quantum computer 505 that implements Grover's algorithm might help create medicines by 506 speeding up complex problems that involve how proteins fold. @@@@@ 507 Add more likely examples and references here. 509 o A large, specialized quantum computer that can recover AES-128 510 keys will likely be much smaller (and thus easier to build) than 511 one that implements Shor's algorithm for 256-bit elliptic curves 512 or 2048-bit RSA/DSA keys. 514 5.1. Explanation of Grover's Algorithm 516 @@@@@ Give the steps for applying Grover's algorithm to AES-128. 518 5.2. Properties of Large, Specialized Quantum Computers Needed for 519 Recovering Symmetric Keys 521 [ApplyingGrover] estimates that a quantum computer that can determine 522 the secret keys for AES-128 would require 2953 correlated qubits and 523 2.74 * 2^86 gates. 525 5.3. Properties of Large, Specialized Quantum Computers for Computing 526 Hash Collisions 528 @@@@@ More goes here. Also, discuss how Grover's algorithm does not 529 appear to be useful for computing preimages (or say how it might be 530 used. 532 6. Predicting When Useful Cryptographic Attacks Will Be Feasible 534 If quantum computers that perform useful cryptographic attacks can be 535 built in the future, many organizations will want to start using 536 post-quantum algorithms well before those computers can be built. 537 However, given how few implementations of such quantum computers 538 exist (even for tiny keys), it is impossible to predict with any 539 accuracy when quantum computers that perform useful cryptographic 540 attacks will be feasible. 542 The term "useful" above is relative to the value of the material 543 being protected by the cryptographic algorithm to the attacker. For 544 example, if the quantum computer attacking a particular key costs 545 US$100 billion to build, costs US$1 billion a year to run, and can 546 extract only one key a year, it is possibly useful to some 547 governments, but probably not useful for attacking the TLS key used 548 to protect a small mail server. On the other hand, if later a 549 similar computer costs US$1 billion to build, costs US$10 million a 550 year to run, and can extract ten keys a year, many more keys become 551 vulnerable. 553 [BeReady] gives a simple way to approach the calculation of when one 554 needs to deploy post-quantum algorithms. In short, if the sum of how 555 long you need your keys to be secure plus how long it takes to deploy 556 new algorithms is longer than the length of time it will take for an 557 attacker to create a large, specialized quantum computer and use it 558 against your keys, then you waited too long. 560 To date, few people have done systematic research that would give 561 estimates for when useful quantum-based cryptographic attacks might 562 be feasible, and at what cost. Without such research, it is easy to 563 make wild guesses but those are not of much value to people having to 564 decide when to start using post-quantum cryptography. 566 For example, in [NIST8105], NIST says "researchers working on 567 building a quantum computer have estimated that it is likely that a 568 quantum computer capable of recovering 2000-bit RSA in a matter of 569 hours could be built by 2030 for a budget of about a billion 570 dollars". However, the referenced link is to a YouTube video 571 [MariantoniYoutube] where the researcher, Matteo Mariantoni, says 572 "maybe you should not quote me on that". [NIST8105] gives no other 573 references for predictions on cost and availability of useful 574 cryptographic attacks with quantum computers. 576 6.1. Proposal: Public Measurements of Various Quantum Technologies 578 In order to get a rough idea of when useful cryptographic attacks 579 with quantum computers may be feasible, researchers creating such 580 computers can demonstrate them when they can recover keys an eighth 581 the size of those in common use. That is, given that 2048-bit RSA, 582 256-bit elliptic curve, and AES-128 are common today, when a research 583 team has a computer than can recover 256-bit RSA, 32-bit elliptic 584 curve, or AES-128 where only 16 bits are unknown, they should 585 demonstrate it. 587 Such a demonstration could easily be made fair with trusted 588 representatives from the cryptographic community using verifiable 589 means to pick the keys to recover, and verifying the time that it 590 takes to recover each key. It might be interesting to run the same 591 tests in classical computers at the same time to give perspective. 593 These demonstrations will have many benefits to those who have to 594 decide when post-quantum algorithms should be deployed in various 595 environments. 597 o Demonstrations will likely use designs that are considered most 598 efficient. This in turn will cause greater focus research on 599 choosing good design candidates. 601 o The results of the demonstrations will help focus on issues 602 important to cryptanalysis, namely the cost of building the 603 systems and the speed of breaking a single key. 605 o Competing demonstrations will reveal where different research 606 teams have made different optimizations from well-known designs. 608 o Public demonstrations could expose designs that work only in 609 limited cases that are uncommon in normal cryptographic practice. 610 (For example, [PretendingFactor] claims that all current 611 factorization experiments have taken advantage of using a 612 classical computer that already knows the answer to design the 613 quantum circuits.) 615 Note that this proposal would only give an idea of how public 616 progress is being made on quantum computers. Well-funded military 617 agencies (and possibly even criminal enterprises) could be way ahead 618 of the publicly-visible computers. No one should rely on just the 619 public measurements when deciding how safe their keys are against 620 quantum computers. 622 7. IANA Considerations 624 None, and thus this section can be removed at final publication. 626 8. Security Considerations 628 This entire document is about cryptography, and thus about security. 630 See Section 1.1 for an important disclaimer about this document and 631 security. 633 This document is meant to help the reader predict when to transition 634 from using classical cryptographic algorithms to post-quantum 635 algorithms. That decision is ultimately up to the reader, and must 636 be made not only based on predictions of how quantum computing is 637 progressing but also the value of every key that the user handles. 638 For example, a financial institution using TLS to protect its 639 customers' transactions will probably consider its keys more valuable 640 than a small online store, and will thus be likely to begin the 641 transition earlier. 643 9. Acknowledgements 645 The list here is meant to acknowledge input to this document. The 646 people listed here do not necessarily agree with ideas presented. 648 Many sections of text were contributed by Grigory Marshalko and 649 Stanislav Smyshlyaev. 651 Some of the ideas in this document come from Denis Butin, Philip 652 Lafrance, Hilarie Orman, and Tomofumi Okubo. 654 10. References 656 10.1. Normative References 658 [Grover96] 659 Grover, L., "A fast quantum mechanical algorithm for 660 database search", 1996, . 663 [Shor97] Shor, P., "Polynomial-Time Algorithms for Prime 664 Factorization and Discrete Logarithms on a Quantum 665 Computer", 1997, 666 . 668 10.2. Informative References 670 [ApplyingGrover] 671 Grassl, M., Langenberg, B., Roetteler, M., and R. 672 Steinwandt, "Applying Grover's algorithm to AES: quantum 673 resource estimates", 2015, . 676 [BeReady] Mosca, M., "Cybersecurity in an era with quantum 677 computers: will we be ready?", 2015, 678 . 680 [EstimatingPreimage] 681 Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, 682 A., and J. Schanck, "Estimating the cost of generic 683 quantum pre-image attacks on SHA-2 and SHA-3", 2016, 684 . 686 [LowResource] 687 Bernstein, D., Fiassse, J., and M. Mosca, "A low-resource 688 quantum factoring algorithm", 2017, 689 . 691 [MariantoniYoutube] 692 Mariantoni, M., "Building a Superconducting Quantum 693 Computer", 2014, . 696 [NielsenChuang] 697 Nielsen, M. and I. Chuang, "Quantum Computation and 698 Quantum Information, 10th Anniversary Edition", ISBN 699 97801-107-00217-3 , 2010. 701 [NIST8105] 702 Chen, L. and et. al, "Report on Post-Quantum 703 Cryptography", 2016, 704 . 707 [PretendingFactor] 708 Smolin, J., Vargo, A., and J. Smolin, "Pretending to 709 factor large numbers on a quantum computer", 2013, 710 . 712 [QuantumSearch] 713 Grover, L., "From Schrodinger's Equation to the Quantum 714 Search Algorithm", 2001, . 717 [ResourceElliptic] 718 Roetteler, M., Naehrig, M., Svore, K., and K. Lauter, 719 "Quantum Resource Estimates for Computing Elliptic Curve 720 Discrete Logarithms", 2017, 721 . 723 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 724 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 725 RFC 3766, DOI 10.17487/RFC3766, April 2004, 726 . 728 [Turing50Youtube] 729 Vazirani, U., Aharonov, D., Gambetta, J., Martinis, J., 730 and A. Yao, "Quantum Computing: Far Away? Around the 731 Corner?", 2017, . 734 Author's Address 736 Paul Hoffman 737 ICANN 739 Email: paul.hoffman@icann.org