idnits 2.17.1
draft-hoffman-c2pq-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (August 14, 2017) is 2419 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
No issues found here.
Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group P. Hoffman
3 Internet-Draft ICANN
4 Intended status: Informational August 14, 2017
5 Expires: February 15, 2018
7 The Transition from Classical to Post-Quantum Cryptography
8 draft-hoffman-c2pq-02
10 Abstract
12 Quantum computing is the study of computers that use quantum features
13 in calculations. For over 20 years, it has been known that if very
14 large, specialized quantum computers could be built, they could have
15 a devastating effect on asymmetric classical cryptographic algorithms
16 such as RSA and elliptic curve signatures and key exchange, as well
17 as (but in smaller scale) on symmetric cryptographic algorithms such
18 as block ciphers, MACs, and hash functions. There has already been a
19 great deal of study on how to create algorithms that will resist
20 large, specialized quantum computers, but so far, the properties of
21 those algorithms make them onerous to adopt before they are needed.
23 Small quantum computers are being built today, but it is still far
24 from clear when large, specialized quantum computers will be built
25 that can recover private or secret keys in classical algorithms at
26 the key sizes commonly used today. It is important to be able to
27 predict when large, specialized quantum computers usable for
28 cryptanalysis will be possible so that organization can change to
29 post-quantum cryptographic algorithms well before they are needed.
31 This document describes quantum computing, how it might be used to
32 attack classical cryptographic algorithms, and possibly how to
33 predict when large, specialized quantum computers will become
34 feasible.
36 Status of This Memo
38 This Internet-Draft is submitted in full conformance with the
39 provisions of BCP 78 and BCP 79.
41 Internet-Drafts are working documents of the Internet Engineering
42 Task Force (IETF). Note that other groups may also distribute
43 working documents as Internet-Drafts. The list of current Internet-
44 Drafts is at http://datatracker.ietf.org/drafts/current/.
46 Internet-Drafts are draft documents valid for a maximum of six months
47 and may be updated, replaced, or obsoleted by other documents at any
48 time. It is inappropriate to use Internet-Drafts as reference
49 material or to cite them other than as "work in progress."
51 This Internet-Draft will expire on February 15, 2018.
53 Copyright Notice
55 Copyright (c) 2017 IETF Trust and the persons identified as the
56 document authors. All rights reserved.
58 This document is subject to BCP 78 and the IETF Trust's Legal
59 Provisions Relating to IETF Documents
60 (http://trustee.ietf.org/license-info) in effect on the date of
61 publication of this document. Please review these documents
62 carefully, as they describe your rights and restrictions with respect
63 to this document. Code Components extracted from this document must
64 include Simplified BSD License text as described in Section 4.e of
65 the Trust Legal Provisions and are provided without warranty as
66 described in the Simplified BSD License.
68 Table of Contents
70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
71 1.1. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . 3
72 1.2. Executive Summary . . . . . . . . . . . . . . . . . . . . 3
73 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
74 1.4. Not Covered: Post-Quantum Cryptographic Algorithms . . . 5
75 1.5. Not Covered: Quantum Cryptography . . . . . . . . . . . . 5
76 1.6. Where to Read More . . . . . . . . . . . . . . . . . . . 5
77 2. Brief Introduction to Quantum Computers . . . . . . . . . . . 6
78 2.1. Quantum Computers that Recover Cryptographic Keys . . . . 7
79 3. Physical Designs for Quantum Computers . . . . . . . . . . . 7
80 3.1. Qubits, Error Detection, and Error Correction . . . . . . 8
81 3.2. Promising Physical Designs for Quantum Computers . . . . 8
82 3.3. Challenges for Physical Designs . . . . . . . . . . . . . 8
83 4. Quantum Computers and Public Key Cryptography . . . . . . . . 9
84 4.1. Explanation of Shor's Algorithm . . . . . . . . . . . . . 10
85 4.2. Properties of Large, Specialized Quantum Computers Needed
86 for Recovering RSA Public Keys . . . . . . . . . . . . . 10
87 5. Quantum Computers and Symmetric Key Cryptography . . . . . . 10
88 5.1. Explanation of Grover's Algorithm . . . . . . . . . . . . 11
89 5.2. Properties of Large, Specialized Quantum Computers Needed
90 for Recovering Symmetric Keys . . . . . . . . . . . . . . 11
91 5.3. Properties of Large, Specialized Quantum Computers for
92 Computing Hash Collisions . . . . . . . . . . . . . . . . 12
93 6. Predicting When Useful Cryptographic Attacks Will Be Feasible 12
94 6.1. Proposal: Public Measurements of Various Quantum
95 Technologies . . . . . . . . . . . . . . . . . . . . . . 13
97 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
98 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
99 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
100 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
101 10.1. Normative References . . . . . . . . . . . . . . . . . . 14
102 10.2. Informative References . . . . . . . . . . . . . . . . . 15
103 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16
105 1. Introduction
107 Early drafts of this document use "@@@@@" to indicate where the
108 editor particularly want input from reviewers. The editor welcomes
109 all types of review, but the areas marked with "@@@@@" are in the
110 most noticeable need of new material. (The editor particularly
111 appreciates new material that comes with references that can be
112 included in this document as well.)
114 1.1. Disclaimer
116 **** This is an early version of this draft. **** As such, it has had
117 little in-depth review in the cryptography community. Statements in
118 this document might be wrong; given that the entire document is about
119 cryptography, those wrong statements might have significant security
120 problems associated with them.
122 Readers of this document should not rely on any statements in this
123 version of this draft. As the draft gets more input from the
124 cryptography community over time, this disclaimer will be softened
125 and eventually eliminated.
127 1.2. Executive Summary
129 The development of quantum computers that can recover private or
130 secret keys in classical algorithms at the key sizes commonly used
131 today is at a very early stage. None of the published examples of
132 such quantum computers is useful in recovering keys that are in use
133 today. There is a great amount of interest in this development, and
134 researchers expect large strides in this development in the coming
135 decade.
137 There is active research in standardizing signing and key exchange
138 algorithms that will withstand attacks from large, specialized
139 quantum computers. However, all those algorithms to date have very
140 large keys, very large signatures, or both. Thus, there is a large
141 sustained cost in using those algorithms. Similarly, there is a
142 large cost in being surprised about when quantum computers can cause
143 damage to current cryptographic keys and signatures.
145 Because the world does not know when large, specialized quantum
146 computers that can recover cryptographic keys will be available,
147 organizations should be watching this area so that they have plenty
148 of time to either change to larger key sizes for classical
149 cryptography or to change to post-quantum algorithms. See Section 6
150 for a fuller discussion of determining how to predict when quantum
151 computers that can harm current cryptography might become feasible.
153 1.3. Terminology
155 The term "classical cryptography" is used to indicate the
156 cryptographic algorithms that are in common use today. In
157 particular, signature and key exchange algorithms that are based on
158 the difficulty of factoring numbers into two large prime numbers, or
159 are based on the difficulty of determining the discrete log of a
160 large composite number, are considered classical cryptography.
162 The term "post-quantum cryptography" refers to the invention and
163 study of cryptographic mechanisms in which the security does not rely
164 on computationally hard problems that can be efficiently solved on
165 quantum computers. This excludes systems whose security relies on
166 factoring numbers, or the difficulty of determining the discrete log
167 of one group element with respect to another.
169 Note that these definitions apply to only one aspect of quantum
170 computing as it relates to cryptography. It is expected that quantum
171 computing will also be able to be used against symmetric key
172 cryptography to make it possible to search for a secret symmetric key
173 using far fewer operations than are needed using classical computers
174 (see Section 5 for more detail). However, using longer keys to
175 thwart that possibility is not normally called "post-quantum
176 cryptography".
178 There are many terms that are only used in the field of quantum
179 computing, such as "qubit", "quantum algorithm", and so on. Chapter
180 1 of [NielsenChuang] has good definitions of such terms.
182 Some papers discussing quantum computers and cryptanalysis say that
183 large, specialized quantum computers "break" algorithms in classical
184 cryptography. This paper does not use that terminology because the
185 algorithms' strength will be reduced when large, specialized quantum
186 computers exist, but not to the point where there is an immediate
187 need to change algorithms.
189 The "^" symbol is used to indicate "the power of". The term "log"
190 always means "logarithm base 2".
192 1.4. Not Covered: Post-Quantum Cryptographic Algorithms
194 This document discusses when an organization would want to consider
195 using post-quantum cryptographic algorithms, but definitely does not
196 delve into which of those algorithms would be best to use. Post-
197 quantum cryptography is an active field of research; in fact, it is
198 much more active than the study of when we might want to transition
199 from classical to post-quantum cryptography.
201 Readers interested in post-quantum cryptographic algorithms will have
202 no problem finding many articles proposing such algorithms, comparing
203 the many current proposals, and so on. An excellent starting point
204 is the web site . The Open Quantum Safe (OQS)
205 project is developing and prototyping
206 quantum-resistant cryptography. Another is the article on post-
207 quantum cryptography at Wikipedia: .
210 Various organizations are working on standardizing the algorithms for
211 post-quantum cryptography. For example, the US National Institute of
212 Standards and Technology (commonly just called "NIST") is holding a
213 competition to evaluate post-quantum cryptographic algorithms.
214 NIST's description of that effort is currently at
215 . Until
216 recently, ETSI (the European Telecommunications Standards Institute)
217 had a Quantum-Safe Cryptography (QSC) Industry Specification Group
218 (ISG) that worked on specifying post-quantum algorithms; see
219 for results from this work.
222 1.5. Not Covered: Quantum Cryptography
224 Other than in this section, this document does not cover "quantum
225 cryptography". The field of quantum cryptography uses quantum
226 effects in order to secure communication between users. Quantum
227 cryptography is not related to cryptanalysis. The best known and
228 extensively studied example of quantum cryptography is a quantum key
229 exchange, where users can share a secret key while preventing an
230 eavesdropper from obtaining the key.
232 1.6. Where to Read More
234 There are many reasonably accessible articles on Wikipedia, notably
235 the overview article at and the timeline of quantum computing developments
237 at .
239 [NielsenChuang] is a well-regarded college textbook on quantum
240 computers. Prerequisites for understanding the book include linear
241 algebra and some quantum physics; however, even without those, a
242 reader can probably get value from the introductory material in the
243 book.
245 [Turing50Youtube] is a good overview of the near-term and longer-term
246 prospects for designing and building quantum computers; it is a video
247 of a panel discussion by quantum hardware and software experts given
248 at the ACM's Turing 50 lecture.
250 @@@@@ Maybe add more references that might be useful to non-experts.
252 2. Brief Introduction to Quantum Computers
254 A quantum computer is a computer that uses quantum bits (qubits) in
255 quantum circuits to perform calculations. Quantum computers also use
256 classical bits and regular circuits: most calculations in a quantum
257 computer are a mix of classical and quantum bits and circuits. For
258 example, classical bits could be used for error correction or
259 controlling the behavior of physical components of the quantum
260 computer.
262 A basic principle that makes it possible to speed up calculations on
263 qubits in quantum computers is quantum superposition. Informally,
264 similarly to waves in classical physics, arbitrary number of quantum
265 states can be added together and result will be another valid quantum
266 state. That means that, for example, two qubits could be in any
267 quantum superposition of four states, three qubits in quantum
268 superposition of eight states, and so on. Generally n qubits can be
269 in quantum superposition of 2^n states.
271 The main challenge for quantum computing is to create and maintain a
272 significantly large number of superposed qubits while performing
273 quantum computations. Physical components of quantum computers that
274 are non-ideal results in the destruction of qubit state over time;
275 this is the source of errors in quantum computation. See Section 3.1
276 for a description of how to overcome this problem.
278 A good description of different aspects of calculations on quantum
279 computer could be found in [EstimatingPreimage].
281 A separate question is a measurement of a quantum state. Due to
282 uncertainty of the state, the measurement process is stochastic.
283 That means that in order to get the correct measurement one should
284 run several consequent calculations and corresponding measurement in
285 order to the expected value which is considered as a result of
286 measurement.
288 @@@@@ Discuss measurements and how they have to be done with
289 correlated qubits.
291 2.1. Quantum Computers that Recover Cryptographic Keys
293 Quantum computers are expected to be useful in the future for some
294 problems that take up too many resources on a large classical
295 computer. However, this document only discusses how they might
296 recover cryptographic keys faster than classical computers. In order
297 to recover cryptographic keys, a quantum computer needs to have a
298 quantum circuit specifically designed for the type of key it is
299 attempting to recover.
301 A quantum computer will need to have a circuit with thousands of
302 qubits to be useful to recover the type and size keys that are in
303 common use today. Smaller quantum computers (those with fewer qubits
304 in superposition) are not useful for using Shor's algorithm (as
305 discussed in Section 4.1) at all. That is, no one has devised a way
306 to combine a bunch of smaller quantum computers to perform the same
307 attacks on cryptographic keys via Shor's algorithm as a properly-
308 sized quantum computer.
310 This is why this document uses the term "large, specialized quantum
311 computer" when describing ones that can recover keys: there will
312 certainly be small quantum computers built first, but those computers
313 cannot recover the type and size keys that are in common use today.
314 Further, there are already quantum computers that have many qubits
315 but without the circuits needed to make those qubits useful for
316 recovering cryptographic keys.
318 A straight-forward application of Shor's algorithm may not be the
319 only way for large, specialized quantum computers to attack RSA keys.
320 [LowResource] describes how to combine quantum computers with
321 classical methods for recovering RSA keys at speeds faster than just
322 using the classical methods.
324 3. Physical Designs for Quantum Computers
326 Quantum computers can be built using many different physical
327 technologies. Deciding which physical technologies are best to
328 pursue is an extremely active research topic. A few physical
329 technologies (particularly trapped ions, super-conduction using
330 Josephson junctions, and nuclear magnetic resonance) are currently
331 getting the most press, but other technologies are also showing
332 promise.
334 One factor that is important to quantum computers that can be used
335 for cryptanalysis is the speed of the operations (transformations) on
336 qubits. Most of the estimates of speeds of these quantum computers
337 assume that qubit operations will take about the same amount of time
338 as operations in circuits that consist of classical gates and
339 classical memory. Current quantum circuits are slower than classical
340 circuits, but will certainly become faster as quantum computers are
341 developed in the future.
343 Note that some current quantum computer research uses bits that are
344 not fully entangled, and this will greatly affect their ability to
345 make useful quantum calculations.
347 3.1. Qubits, Error Detection, and Error Correction
349 Researchers building small quantum computers have discovered that
350 calculating the superposition of qubits often has a large rate of
351 error, and that error rate increases rapidly over time. Performing
352 quantum calculations such as those needed to recover cryptographic
353 keys is not feasible with the current state of quantum computers.
355 In the future, actual quantum calculations will be performed on
356 "logical qubits", that is, after the application of error correction
357 codes on physical qubits. Thus, the number of physical qubits will
358 be higher than the number of logical qubits, depending on the
359 parameters of the error correction code, which in turn depends on the
360 parameters of a technology used for a physical implementation of
361 qubits. Currently, it is estimated that it takes hundreds or
362 thousands of physical qubits to make a logical qubit. @@@@@ Need
363 reference for this statement.
365 @@@@@ Lots more material should go here. We will need recent
366 references for how many physical qubits are needed for each corrected
367 qubit. It's OK if this section has lots of references, but hopefully
368 they don't contradict each other.
370 3.2. Promising Physical Designs for Quantum Computers
372 @@@@@ It would be useful to have maybe two paragraphs about each
373 physical design that is being actively pursued.
375 3.3. Challenges for Physical Designs
377 Different designs have different challenges to overcome before the
378 physical technology can be scaled enough to build a useful large,
379 specialized quantum computer. Some of those challenges include the
380 following. (Note that some items on this list apply only to some of
381 the physical technologies.)
382 Temperature: Getting stable operation without extreme cooling is
383 difficult for many of the proposed technologies. The definition
384 of "extreme" is different for different low-temperature
385 technologies.
387 Stabilization: The length of time every qubit in a circuit holds is
388 value
390 Quantum control: Coherence and reproducibility of qubits
392 Error detection and correction: Getting accurate results through
393 simultaneous detection of bit-flip and phase-flip. See
394 Section 3.1 for a longer description of this.
396 Substrate: The material on which the qubit circuits are built. This
397 has a large effect on the stability of the qubits.
399 Particles: The atoms or sub-atomic particles used to make the qubits
401 Scalability: The ability to handle the number of physical qubits
402 needed for the desired the circuit
404 Architecture: Ability to change quantum gates in a circuit
406 4. Quantum Computers and Public Key Cryptography
408 The area of quantum computing that has generated the most interest in
409 the cryptographic community is the ability of quantum computers to
410 find the private keys in encryption and signature algorithms based on
411 discrete logarithms using exponentially fewer operations than
412 classical computers would need to use.
414 As described in [RFC3766], it is widely believed that factoring large
415 numbers and finding discrete logs using classical computers increases
416 with the exponential size of the key. [RFC3766] describes in detail
417 how classical computers can be used to determine keys; even though
418 that RFC is over a decade old, no significant changes have been made
419 to the process of classical attacks on RSA and Diffie-Hellman. @@@@@
420 CFRG: is that true? Does RFC 3766 need to be updated?
422 Shor's algorithm shows that these problems can be solved on quantum
423 computers in polynomial time, meaning that the speed of finding the
424 keys is a polynomial function (with reasonable-sized coefficients)
425 based on the size of the keys, which would require significantly
426 fewer steps than a classical computer. The definitive paper on
427 Shor's algorithm is [Shor97].
429 4.1. Explanation of Shor's Algorithm
431 @@@@@ Pointers to understandable articles would be good here.
433 @@@@@ Describe period-finding and why it applies to finding prime
434 factors and discrete logs.
436 @@@@@ Give the steps for applying Shor's algorithm to 2048-bit RSA.
437 Describe how many rounds of the quantum subroutine would likely be
438 needed. Describe how many rounds of the classical loop would likely
439 be needed.
441 [ResourceElliptic] gives concrete estimates of the resources needed
442 to build a quantum computer to compute elliptic curve discrete
443 logarithms. It shows that for the common P-256 elliptic curve, 2330
444 logical qubits and over 10^11 Toffoli gates.
446 4.2. Properties of Large, Specialized Quantum Computers Needed for
447 Recovering RSA Public Keys
449 Researchers have built small quantum computers that implement Shor's
450 algorithm, factoring numbers with four or five bits. These are used
451 to show that Shor's algorithm is possible to realize in actual
452 hardware. (Note, however, that [PretendingFactor] indicates that
453 these experiments may have taken shortcuts that prevent them from
454 indicating real Shor designs.)
456 @@@@@ References are needed here. Did they implement all of Shor's
457 algorithm, including the looping logic in the classical part and the
458 looping logic in the quantum part?
460 @@@@@ Numbers and explanation is needed below:
462 A quantum computer that can determine the private keys for 2048-bit
463 RSA would require SOME NUMBER GOES HERE correlated qubits and SOME
464 NUMBER GOES HERE circuit elements. A quantum computer that can
465 determine the private keys for 256-bt elliptic curves would require
466 SOME NUMBER GOES HERE correlated qubits and SOME NUMBER GOES HERE
467 circuit elements.
469 5. Quantum Computers and Symmetric Key Cryptography
471 Section 4 is about Shor's algorithm and compromises to public key
472 cryptography. There is a second quantum computing algorithm,
473 Grover's algorithm, that is often mentioned at the same time as
474 Shor's algorithm. With respect to cryptanalysis, however, Grover's
475 algorithm applies to tasks of finding a preimage, including tasks of
476 finding a secret key of a symmetric algorithm such as AES if there is
477 knowledge of plaintext-ciphertext pairs. The definitive paper on
478 Grover's algorithm is by Grover: [Grover96]. Grover later wrote a
479 more accessible paper about the algorithm in [QuantumSearch].
481 Grover's algorithm gives a way to search for keys to symmetric
482 algorithms in the square root of the time that a normal exhaustive
483 search would take. Thus, a large, specialized quantum computer that
484 implements Grover's algorithm could find a secret AES-128 key in
485 about 2^64 steps instead of the 2^128 steps that would be required
486 for a classical computer.
488 When it appears that it is feasible to build a large, specialized
489 quantum computer that can defeat a particular symmetric algorithm at
490 a particular key size, the proper response would be to use keys with
491 twice as many bits. That is, if one is using the AES-128 algorithm
492 and there is a concern that an adversary might be able to build a
493 large, specialized quantum computer that is designed to attack
494 AES-128 keys, move to an algorithm that has keys twice as long as
495 AES-128, namely AES-256 (the block size used is not significant
496 here).
498 It is currently expected that large, specialized quantum computers
499 that implement Grover's algorithm are expected to be built long
500 before ones that implement Shor's algorithm are. There are two
501 primary reasons for this:
503 o Grover's algorithm is likely to be useful in areas other than
504 cryptography. For example, a large, specialized quantum computer
505 that implements Grover's algorithm might help create medicines by
506 speeding up complex problems that involve how proteins fold. @@@@@
507 Add more likely examples and references here.
509 o A large, specialized quantum computer that can recover AES-128
510 keys will likely be much smaller (and thus easier to build) than
511 one that implements Shor's algorithm for 256-bit elliptic curves
512 or 2048-bit RSA/DSA keys.
514 5.1. Explanation of Grover's Algorithm
516 @@@@@ Give the steps for applying Grover's algorithm to AES-128.
518 5.2. Properties of Large, Specialized Quantum Computers Needed for
519 Recovering Symmetric Keys
521 [ApplyingGrover] estimates that a quantum computer that can determine
522 the secret keys for AES-128 would require 2953 correlated qubits and
523 2.74 * 2^86 gates.
525 5.3. Properties of Large, Specialized Quantum Computers for Computing
526 Hash Collisions
528 @@@@@ More goes here. Also, discuss how Grover's algorithm does not
529 appear to be useful for computing preimages (or say how it might be
530 used.
532 6. Predicting When Useful Cryptographic Attacks Will Be Feasible
534 If quantum computers that perform useful cryptographic attacks can be
535 built in the future, many organizations will want to start using
536 post-quantum algorithms well before those computers can be built.
537 However, given how few implementations of such quantum computers
538 exist (even for tiny keys), it is impossible to predict with any
539 accuracy when quantum computers that perform useful cryptographic
540 attacks will be feasible.
542 The term "useful" above is relative to the value of the material
543 being protected by the cryptographic algorithm to the attacker. For
544 example, if the quantum computer attacking a particular key costs
545 US$100 billion to build, costs US$1 billion a year to run, and can
546 extract only one key a year, it is possibly useful to some
547 governments, but probably not useful for attacking the TLS key used
548 to protect a small mail server. On the other hand, if later a
549 similar computer costs US$1 billion to build, costs US$10 million a
550 year to run, and can extract ten keys a year, many more keys become
551 vulnerable.
553 [BeReady] gives a simple way to approach the calculation of when one
554 needs to deploy post-quantum algorithms. In short, if the sum of how
555 long you need your keys to be secure plus how long it takes to deploy
556 new algorithms is longer than the length of time it will take for an
557 attacker to create a large, specialized quantum computer and use it
558 against your keys, then you waited too long.
560 To date, few people have done systematic research that would give
561 estimates for when useful quantum-based cryptographic attacks might
562 be feasible, and at what cost. Without such research, it is easy to
563 make wild guesses but those are not of much value to people having to
564 decide when to start using post-quantum cryptography.
566 For example, in [NIST8105], NIST says "researchers working on
567 building a quantum computer have estimated that it is likely that a
568 quantum computer capable of recovering 2000-bit RSA in a matter of
569 hours could be built by 2030 for a budget of about a billion
570 dollars". However, the referenced link is to a YouTube video
571 [MariantoniYoutube] where the researcher, Matteo Mariantoni, says
572 "maybe you should not quote me on that". [NIST8105] gives no other
573 references for predictions on cost and availability of useful
574 cryptographic attacks with quantum computers.
576 6.1. Proposal: Public Measurements of Various Quantum Technologies
578 In order to get a rough idea of when useful cryptographic attacks
579 with quantum computers may be feasible, researchers creating such
580 computers can demonstrate them when they can recover keys an eighth
581 the size of those in common use. That is, given that 2048-bit RSA,
582 256-bit elliptic curve, and AES-128 are common today, when a research
583 team has a computer than can recover 256-bit RSA, 32-bit elliptic
584 curve, or AES-128 where only 16 bits are unknown, they should
585 demonstrate it.
587 Such a demonstration could easily be made fair with trusted
588 representatives from the cryptographic community using verifiable
589 means to pick the keys to recover, and verifying the time that it
590 takes to recover each key. It might be interesting to run the same
591 tests in classical computers at the same time to give perspective.
593 These demonstrations will have many benefits to those who have to
594 decide when post-quantum algorithms should be deployed in various
595 environments.
597 o Demonstrations will likely use designs that are considered most
598 efficient. This in turn will cause greater focus research on
599 choosing good design candidates.
601 o The results of the demonstrations will help focus on issues
602 important to cryptanalysis, namely the cost of building the
603 systems and the speed of breaking a single key.
605 o Competing demonstrations will reveal where different research
606 teams have made different optimizations from well-known designs.
608 o Public demonstrations could expose designs that work only in
609 limited cases that are uncommon in normal cryptographic practice.
610 (For example, [PretendingFactor] claims that all current
611 factorization experiments have taken advantage of using a
612 classical computer that already knows the answer to design the
613 quantum circuits.)
615 Note that this proposal would only give an idea of how public
616 progress is being made on quantum computers. Well-funded military
617 agencies (and possibly even criminal enterprises) could be way ahead
618 of the publicly-visible computers. No one should rely on just the
619 public measurements when deciding how safe their keys are against
620 quantum computers.
622 7. IANA Considerations
624 None, and thus this section can be removed at final publication.
626 8. Security Considerations
628 This entire document is about cryptography, and thus about security.
630 See Section 1.1 for an important disclaimer about this document and
631 security.
633 This document is meant to help the reader predict when to transition
634 from using classical cryptographic algorithms to post-quantum
635 algorithms. That decision is ultimately up to the reader, and must
636 be made not only based on predictions of how quantum computing is
637 progressing but also the value of every key that the user handles.
638 For example, a financial institution using TLS to protect its
639 customers' transactions will probably consider its keys more valuable
640 than a small online store, and will thus be likely to begin the
641 transition earlier.
643 9. Acknowledgements
645 The list here is meant to acknowledge input to this document. The
646 people listed here do not necessarily agree with ideas presented.
648 Many sections of text were contributed by Grigory Marshalko and
649 Stanislav Smyshlyaev.
651 Some of the ideas in this document come from Denis Butin, Philip
652 Lafrance, Hilarie Orman, and Tomofumi Okubo.
654 10. References
656 10.1. Normative References
658 [Grover96]
659 Grover, L., "A fast quantum mechanical algorithm for
660 database search", 1996, .
663 [Shor97] Shor, P., "Polynomial-Time Algorithms for Prime
664 Factorization and Discrete Logarithms on a Quantum
665 Computer", 1997,
666 .
668 10.2. Informative References
670 [ApplyingGrover]
671 Grassl, M., Langenberg, B., Roetteler, M., and R.
672 Steinwandt, "Applying Grover's algorithm to AES: quantum
673 resource estimates", 2015, .
676 [BeReady] Mosca, M., "Cybersecurity in an era with quantum
677 computers: will we be ready?", 2015,
678 .
680 [EstimatingPreimage]
681 Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent,
682 A., and J. Schanck, "Estimating the cost of generic
683 quantum pre-image attacks on SHA-2 and SHA-3", 2016,
684 .
686 [LowResource]
687 Bernstein, D., Fiassse, J., and M. Mosca, "A low-resource
688 quantum factoring algorithm", 2017,
689 .
691 [MariantoniYoutube]
692 Mariantoni, M., "Building a Superconducting Quantum
693 Computer", 2014, .
696 [NielsenChuang]
697 Nielsen, M. and I. Chuang, "Quantum Computation and
698 Quantum Information, 10th Anniversary Edition", ISBN
699 97801-107-00217-3 , 2010.
701 [NIST8105]
702 Chen, L. and et. al, "Report on Post-Quantum
703 Cryptography", 2016,
704 .
707 [PretendingFactor]
708 Smolin, J., Vargo, A., and J. Smolin, "Pretending to
709 factor large numbers on a quantum computer", 2013,
710 .
712 [QuantumSearch]
713 Grover, L., "From Schrodinger's Equation to the Quantum
714 Search Algorithm", 2001, .
717 [ResourceElliptic]
718 Roetteler, M., Naehrig, M., Svore, K., and K. Lauter,
719 "Quantum Resource Estimates for Computing Elliptic Curve
720 Discrete Logarithms", 2017,
721 .
723 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
724 Public Keys Used For Exchanging Symmetric Keys", BCP 86,
725 RFC 3766, DOI 10.17487/RFC3766, April 2004,
726 .
728 [Turing50Youtube]
729 Vazirani, U., Aharonov, D., Gambetta, J., Martinis, J.,
730 and A. Yao, "Quantum Computing: Far Away? Around the
731 Corner?", 2017, .
734 Author's Address
736 Paul Hoffman
737 ICANN
739 Email: paul.hoffman@icann.org