[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] PQ crypto updates
> Date: Sat, 19 Aug 2017 06:55:29 +0000
> From: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
>
> On Sat, 19 Aug 2017 04:11:16 -0000
> bancfc@xxxxxxxxxxxxxxx wrote:
> > Boom headshot! AEZ is dead in the water post quantum:
> >
> > Paper name: Quantum Key-Recovery on full AEZ
> >
> > https://eprint.iacr.org/2017/767.pdf
>
> ... I'm not seeing your point. Even prior to that paper, AEZ wasn't
> thought to be quantum resistant in anyway shape or form, and providing
> quantum resistance wasn't part of the design goals of the primitive, or
> really why it was being considered at one point for use in Tor.
I would expect AEZ to have essentially the same post-quantum security
as, e.g., AES or any other symmetric crypto -- square root speedup by
Grover.
However, this paper is not about the conventional notion of
post-quantum security -- what is the cost, to an adversary with large
a quantum computer, of breaking ordinary users of the cryptosystem? --
but a radically different notion of security for users who
inexplicably choose evaluate AEZ in a quantum superposition of inputs
and reveal that superposition to an adversary.
It is not surprising that when users abuse their crypto primitives in
an astoundingly bizarre way, to reveal quantum superpositions of
outputs, the original security claims of the classical crypto
primitives go flying out the window!
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev