[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Post Quantum Tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Post Quantum Tor
From: Kevin Burress <speakeasysky@xxxxxxxxx>
Date: Mon, 28 May 2018 12:08:21 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 28 May 2018 12:08:50 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=WTtoLHopmqJg6k00vwztmDWeg/jXDKsQ0L/wr4fTcGI=; b=HK4RxxFjwWYwX69yL4qn18avutxmmPN4vlvrujyVXmRUbgw/qkxnk4VgWxWx1fFr7E XtsnqcKN5v625h0z7h7wdn0+ZIjStiFM6IT6aCory0RB+VC+sgGSgOM5ragJIW5s6GOD l3yw/GRgm/LP2NaQSPLFrV+Z09Y2W9SiOW9qUtlgGIq7iymKNI3d3DG3grvKv/UNjoPQ Iga+p9fog2kSZ4fyn3uopSJIUhlfdKaEUz+z7ewwkJjBbr8dJ//W6c568jOmaKFqWMxe JOMe3hlpxQAA0BHVw3pDfeqKSWCaHex5CUoDaMFE6a5xxJeAibifvza0lId3/hHtpx27 /WtQ==
In-reply-to: <53c30a18-da20-68d3-3ae6-d0dac506e9e2@sky-ip.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CA+0WX+=b=t0-SycJ_cuj7TOHrNVx4+F2=mJRstjgNiSL5P56CQ@mail.gmail.com> <7F3643F0-E3CB-47B6-A5F9-BB9F75B422FC@yahoo.com> <CAHWD2rJaUBJsby82KQX_a8B6N+RchfF_quL6xVhTuxPoUyCp7w@mail.gmail.com> <53c30a18-da20-68d3-3ae6-d0dac506e9e2@sky-ip.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

S7r I generally agree with you there. There is no evidence that it has been
broken. Thus we can only go by what these agencies are saying or hinting
about their capabilities. I certainly don't think that in this case it is
required and must negotiate with post quantum cryptography, only that as a
feature a client may require that for all of their tunnels unless it is
found to be flawed.


We know that ecdsa is weak against a quantum computer, as well as rsa. The
only evidence I can provide is publicly available:
https://cointelegraph.com/news/nsa-will-not-use-quantum-computers-to-crack-bitcoin-antonopoulos

The NSA stating they could break crypto with their current tools
(specifically the weak ecdsa used for wallets) and that they won't and use
the tools for "other things" which immediately makes me think of Tor.

The only other evidence I can submit as a need to upgrade encryption in
general is the government issued that they will no longer use key lengths
below 3k rsa, and require at least 4096 for top secret information.



On Mon, May 28, 2018, 11:48 AM s7r <s7r@xxxxxxxxxx> wrote:

> Lodewijk andré de la porte wrote:
> > RSA/ECDSA are both screwed.
> >
> > SPHINCS seems good.
> >
> > Post quantum asymcrypt doesn't seem generally ready yet, but hashes work.
> >
>
> You claim this based upon what evidence? Do you have any technical
> document or citation in order to sustain your claim? I am not talking
> about something you read on an anonymous blog here. Also, which RSA?
> There is limited evidence that RSA 1024 might not be sufficient with
> current existing computing power (not even evidence, more like an
> assumption), but RSA 2048 / 4096 should be sufficient. Even  for RSA
> 1024 you might need to be a real threat in order to be worth the
> resources to be spent on you.
>
> There is no evidence of ECDSA and ECDH being screwed (regardless of the
> curve used, NIST ones, cv25519, secp256k1, etc.).
>
> I understand that some might be inclined to think that everything is
> screwed, and that the NSA/CIA have the power to do anything, but there
> is no evidence to sustain such a claim. To be frank, I am very happy to
> have people like this in the community because problems might get fixed
> even before they become real problems.
>
> Everyone who correctly used encryption tools with up to date recommended
> standards were safe, the cases where it failed relied purely on human
> error, social engineering or other kind of side channel attacks. If I am
> able to spy on the passphrase of your private key (or if you have a weak
> dictionary passphrase that I can break with brute force in like 1 year)
> this does not mean I have the power to break the algorithm of your
> encryption key (RSA, ECC). Unfortunately way too many people use small,
> easy to remember passphrases (even related to their names, dates of
> birth, spouse names, pet names, etc.). A good brute force tool will take
> for example 2 years to break a relatively simple passphrase, but if fed
> with hints (names, dobs, friends, pets, places) that can be narrowed
> down exponentially to 2 months.
>
> Let's keep this discussion productive. Tor _needs_ post quantum
> resistant crypto as a _feature_, so that current traffic if captured and
> stored cannot be decrypted within reasonable time in the future. The
> time frame is variable an dependent on each case and threat model, but
> let's say like one or two decades. So, this is just an extra security
> measure Tor takes as the number one privacy tool, one that can be relied
> on.
>
> There is no evidence that quantum computers will be strong enough in 5
> or 10 years to break the current NON QUANTUM RESISTANT crypto used. At
> current moment quantum computers barely can do a square root of a two
> digit number. Also, I think it's safe to assume this type of threat is
> irrelevant if the current crypto in Tor might be broken in 100 years
> from now, because even if the subject is still alive at that moment, it
> might not matter at all.
>
> Taking the discussion just a little further, quantum computers face a
> physics problems related to time and space. A proven physics assumption
> tells us that something can only be in one place/position at a time.
> Like bits in normal computers nowadays, that can be either 0 either 1.
> Qbits have to be both at the same time. So, being a true lover of
> technology and believer, I am not stating it's impossible and it will
> never happen, but it is surely not knocking on our doors, from my opinion.
>
> Before experts struggle to answer this one, let us be productive and
> work on the proposals Nick quoted in a previous email to this thread, so
> we eliminate risk and don't have to worry if / when this becomes reality.
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Post Quantum Tor
  - From: s7r

References:
- [tor-talk] Post Quantum Tor
  - From: Kevin Burress
- Re: [tor-talk] Post Quantum Tor
  - From: Jacki M
- Re: [tor-talk] Post Quantum Tor
  - From: Lodewijk andré de la porte
- Re: [tor-talk] Post Quantum Tor
  - From: s7r

Prev by Author: Re: [tor-talk] Post Quantum Tor
Next by Author: Re: [tor-talk] Post Quantum Tor
Previous by thread: Re: [tor-talk] Post Quantum Tor
Next by thread: Re: [tor-talk] Post Quantum Tor
Index(es):
- Author
- Thread