| rfc9958v2.txt | rfc9958.txt | |||
|---|---|---|---|---|
| skipping to change at line 349 ¶ | skipping to change at line 349 ¶ | |||
| compared to traditional search algorithms. This has led to the | compared to traditional search algorithms. This has led to the | |||
| common misconception that symmetric key lengths need to be doubled | common misconception that symmetric key lengths need to be doubled | |||
| for quantum security. When you consider the mapping of hash values | for quantum security. When you consider the mapping of hash values | |||
| to their corresponding hash inputs (also known as pre-image) or of | to their corresponding hash inputs (also known as pre-image) or of | |||
| ciphertext blocks to the corresponding plaintext blocks as an | ciphertext blocks to the corresponding plaintext blocks as an | |||
| unstructured database, then Grover's algorithm theoretically requires | unstructured database, then Grover's algorithm theoretically requires | |||
| doubling the key sizes of the symmetric algorithms that are currently | doubling the key sizes of the symmetric algorithms that are currently | |||
| deployed at the time of publication to counter the quadratic speedup | deployed at the time of publication to counter the quadratic speedup | |||
| and maintain the current security level. This is because Grover's | and maintain the current security level. This is because Grover's | |||
| algorithm reduces the amount of operations to break 128-bit symmetric | algorithm reduces the amount of operations to break 128-bit symmetric | |||
| cryptography to 2^{64} quantum operations, which might sound | cryptography to 2^({64}) quantum operations, which might sound | |||
| computationally feasible. However, quantum operations are | computationally feasible. However, quantum operations are | |||
| fundamentally different from classical ones, as 2^{64} classical | fundamentally different from classical ones, as 2^({64}) classical | |||
| operations can be efficiently parallelized but 2^{64} quantum | operations can be efficiently parallelized but 2^({64}) quantum | |||
| operations must be performed serially, making them infeasible on | operations must be performed serially, making them infeasible on | |||
| practical quantum computers. | practical quantum computers. | |||
| Grover's algorithm is highly non-parallelizable and even if one | Grover's algorithm is highly non-parallelizable and even if one | |||
| deploys 2^c computational units in parallel to brute-force a key | deploys 2^c computational units in parallel to brute-force a key | |||
| using Grover's algorithm, it will complete in time proportional to | using Grover's algorithm, it will complete in time proportional to | |||
| 2^{(128-c)/2}, or, put simply, using 256 quantum computers will only | 2^({(128-c)/2}), or, put simply, using 256 quantum computers will | |||
| reduce runtime by a factor of 16, 1024 quantum computers will only | only reduce runtime by a factor of 16, 1024 quantum computers will | |||
| reduce runtime by a factor of 32, and so forth (see [NIST] and | only reduce runtime by a factor of 32, and so forth (see [NIST] and | |||
| [Cloudflare]). Due to this inherent limitation, the general expert | [Cloudflare]). Due to this inherent limitation, the general expert | |||
| consensus is that AES-128 remains secure in practice and key sizes do | consensus is that AES-128 remains secure in practice and key sizes do | |||
| not necessarily need to be doubled. | not necessarily need to be doubled. | |||
| It would be natural to ask whether future research will develop a | It would be natural to ask whether future research will develop a | |||
| superior algorithm that could outperform Grover's algorithm in the | superior algorithm that could outperform Grover's algorithm in the | |||
| general case. However, Christof Zalka has shown that Grover's | general case. However, Christof Zalka has shown that Grover's | |||
| algorithm achieves the best possible complexity for this type of | algorithm achieves the best possible complexity for this type of | |||
| search, meaning no significantly faster quantum approach is expected | search, meaning no significantly faster quantum approach is expected | |||
| [Grover-Search]. | [Grover-Search]. | |||
| skipping to change at line 1955 ¶ | skipping to change at line 1955 ¶ | |||
| [BHK09] Bellare, M., Hofheinz, D., and E. Kiltz, "Subtleties in | [BHK09] Bellare, M., Hofheinz, D., and E. Kiltz, "Subtleties in | |||
| the Definition of IND-CCA: When and How Should Challenge- | the Definition of IND-CCA: When and How Should Challenge- | |||
| Decryption be Disallowed?", Cryptology ePrint Archive, | Decryption be Disallowed?", Cryptology ePrint Archive, | |||
| Paper 2009/418, 2009, <https://eprint.iacr.org/2009/418>. | Paper 2009/418, 2009, <https://eprint.iacr.org/2009/418>. | |||
| [BIKE] "BIKE", <https://bikesuite.org/>. | [BIKE] "BIKE", <https://bikesuite.org/>. | |||
| [BPQS] Chalkias, K., Brown, J., Hearn, M., Lillehagen, T., Nitto, | [BPQS] Chalkias, K., Brown, J., Hearn, M., Lillehagen, T., Nitto, | |||
| I., and T. Schroeter, "Blockchained Post-Quantum | I., and T. Schroeter, "Blockchained Post-Quantum | |||
| Signatures", Cryptology ePrint Archive, Paper 2018/658, | Signatures", Cryptology ePrint Archive, Paper 2018/658, | |||
| n.d., <https://eprint.iacr.org/2018/658>. | <https://eprint.iacr.org/2018/658>. | |||
| [BSI-PQC] BSI, "Quantum-safe cryptography - fundamentals, current | [BSI-PQC] BSI, "Quantum-safe cryptography - fundamentals, current | |||
| developments and recommendations", 18 May 2022, | developments and recommendations", 18 May 2022, | |||
| <https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ | <https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ | |||
| Publications/Brochure/quantum-safe- | Publications/Brochure/quantum-safe- | |||
| cryptography.html?nn=916626>. | cryptography.html?nn=916626>. | |||
| [Cloudflare] | [Cloudflare] | |||
| Westerbaan, B., "NIST's pleasant post-quantum surprise", | Westerbaan, B., "NIST's pleasant post-quantum surprise", | |||
| Cloudflare Blog, 8 July 2022, | Cloudflare Blog, 8 July 2022, | |||
| <https://blog.cloudflare.com/nist-post-quantum-surprise/>. | <https://blog.cloudflare.com/nist-post-quantum-surprise/>. | |||
| [CNSA2-0] NSA, "Announcing the Commercial National Security | [CNSA2-0] NSA, "Announcing the Commercial National Security | |||
| Algorithm Suite 2.0", September 2022, | Algorithm Suite 2.0", September 2022, | |||
| <https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/ | <https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/ | |||
| CSA_CNSA_2.0_ALGORITHMS.PDF>. | CSA_CNSA_2.0_ALGORITHMS.PDF>. | |||
| [CONSTRAIN-DEV-PCQ] | [CONSTRAIN-DEV-PCQ] | |||
| Reddy.K, T., Wing, D., S, B., and K. Kwiatkowski, | Reddy.K, T., Wing, D., Salter, B., and K. Kwiatkowski, | |||
| "Adapting Constrained Devices for Post-Quantum | "Adapting Constrained Devices for Post-Quantum | |||
| Cryptography", Work in Progress, Internet-Draft, draft- | Cryptography", Work in Progress, Internet-Draft, draft- | |||
| ietf-pquip-pqc-hsm-constrained-05, 1 April 2026, | ietf-pquip-pqc-hsm-constrained-05, 1 April 2026, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-pquip- | <https://datatracker.ietf.org/doc/html/draft-ietf-pquip- | |||
| pqc-hsm-constrained-05>. | pqc-hsm-constrained-05>. | |||
| [CRQCThreat] | [CRQCThreat] | |||
| Jaques, S., "Landscape of Quantum Computing", | Jaques, S., "Landscape of Quantum Computing", | |||
| <https://sam-jaques.appspot.com/quantum_landscape_2024>. | <https://sam-jaques.appspot.com/quantum_landscape_2024>. | |||
| skipping to change at line 2099 ¶ | skipping to change at line 2099 ¶ | |||
| <https://ieeexplore.ieee.org/document/9855226>. | <https://ieeexplore.ieee.org/document/9855226>. | |||
| [Mitigate3] | [Mitigate3] | |||
| Azouaoui, M., Kuzovkova, Y., Schneider, T., and C. V. | Azouaoui, M., Kuzovkova, Y., Schneider, T., and C. V. | |||
| Vredendaal, "Post-Quantum Authenticated Encryption against | Vredendaal, "Post-Quantum Authenticated Encryption against | |||
| Chosen-Ciphertext Side-Channel Attacks", Cryptology ePrint | Chosen-Ciphertext Side-Channel Attacks", Cryptology ePrint | |||
| Archive, Paper 2022/916, 2022, | Archive, Paper 2022/916, 2022, | |||
| <https://eprint.iacr.org/2022/916>. | <https://eprint.iacr.org/2022/916>. | |||
| [ML-DSA-X.509] | [ML-DSA-X.509] | |||
| Ounsworth, M., Gray, J., Pala, M., Klaussner, J., and S. | Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. | |||
| Fluhrer, "Composite Module-Lattice-Based Digital Signature | Fluhrer, "Composite Module-Lattice-Based Digital Signature | |||
| Algorithm (ML-DSA) for use in X.509 Public Key | Algorithm (ML-DSA) for use in X.509 Public Key | |||
| Infrastructure", Work in Progress, Internet-Draft, draft- | Infrastructure", Work in Progress, Internet-Draft, draft- | |||
| ietf-lamps-pq-composite-sigs-19, 21 April 2026, | ietf-lamps-pq-composite-sigs-19, 21 April 2026, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-lamps- | <https://datatracker.ietf.org/doc/html/draft-ietf-lamps- | |||
| pq-composite-sigs-19>. | pq-composite-sigs-19>. | |||
| [NIST] NIST, "Post-Quantum Cryptography Standardization", | [NIST] NIST, "Post-Quantum Cryptography Standardization", | |||
| <https://csrc.nist.gov/projects/post-quantum-cryptography/ | <https://csrc.nist.gov/projects/post-quantum-cryptography/ | |||
| post-quantum-cryptography-standardization>. | post-quantum-cryptography-standardization>. | |||
| skipping to change at line 2134 ¶ | skipping to change at line 2134 ¶ | |||
| v4_0_1.pdf>. | v4_0_1.pdf>. | |||
| [PQ-HPKE] Barnes, R. and D. Connolly, "Post-Quantum and Post- | [PQ-HPKE] Barnes, R. and D. Connolly, "Post-Quantum and Post- | |||
| Quantum/Traditional Hybrid Algorithms for HPKE", Work in | Quantum/Traditional Hybrid Algorithms for HPKE", Work in | |||
| Progress, Internet-Draft, draft-ietf-hpke-pq-04, 2 March | Progress, Internet-Draft, draft-ietf-hpke-pq-04, 2 March | |||
| 2026, <https://datatracker.ietf.org/doc/html/draft-ietf- | 2026, <https://datatracker.ietf.org/doc/html/draft-ietf- | |||
| hpke-pq-04>. | hpke-pq-04>. | |||
| [PQ-KEM] Connolly, D., Barnes, R., and P. Grubbs, "Hybrid PQ/T Key | [PQ-KEM] Connolly, D., Barnes, R., and P. Grubbs, "Hybrid PQ/T Key | |||
| Encapsulation Mechanisms", Work in Progress, Internet- | Encapsulation Mechanisms", Work in Progress, Internet- | |||
| Draft, draft-irtf-cfrg-hybrid-kems-10, 2 March 2026, | Draft, draft-irtf-cfrg-hybrid-kems-11, 7 May 2026, | |||
| <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | |||
| hybrid-kems-10>. | hybrid-kems-11>. | |||
| [PQ-MLS] Joël, Hale, B., Mularczyk, M., and X. Tian, "Flexible | [PQ-MLS] Tian, X., Hale, B., Mularczyk, M., and J. Alwen, | |||
| Hybrid PQ MLS Combiner", Work in Progress, Internet-Draft, | "Amortized PQ MLS Combiner", Work in Progress, Internet- | |||
| draft-hale-mls-combiner-01, 26 September 2024, | Draft, draft-ietf-mls-combiner-02, 22 October 2025, | |||
| <https://datatracker.ietf.org/doc/html/draft-hale-mls- | <https://datatracker.ietf.org/doc/html/draft-ietf-mls- | |||
| combiner-01>. | combiner-02>. | |||
| [PQCAPI] NIST, "PQC - API notes", | [PQCAPI] NIST, "PQC - API notes", | |||
| <https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum- | <https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum- | |||
| Cryptography/documents/example-files/api-notes.pdf>. | Cryptography/documents/example-files/api-notes.pdf>. | |||
| [PQRSA] Bernstein, D. J., Heninger, N., Lou, P., and L. Valenta, | [PQRSA] Bernstein, D. J., Heninger, N., Lou, P., and L. Valenta, | |||
| "Post-quantum RSA", 19 April 2017, | "Post-quantum RSA", 19 April 2017, | |||
| <https://cr.yp.to/papers/pqrsa-20170419.pdf>. | <https://cr.yp.to/papers/pqrsa-20170419.pdf>. | |||
| [PQUIP-WG] IETF, "Post-Quantum Use In Protocols (pquip)", | [PQUIP-WG] IETF, "Post-Quantum Use In Protocols (pquip)", | |||
| End of changes. 9 change blocks. | ||||
| 16 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||