On 09/01/2023 06:20, David Barrett wrote:
On Sun, Jan 8, 2023, 7:37 PM Peter Fairbrother <peter@tsto.co.uk <mailto:peter@tsto.co.uk>> wrote:
There are no widespread supposed-to-be-QR asymmetric algorithms that I would trust right now.
None of the lattice based approaches? I'm curious why not?
First, recently proposed lattice-based algorithms have been falling like flies. Doesn't give one much confidence. Second, Schneier's Law: "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around." It's not just years of analysis of the algorithm which is required, years of analysis of the implementation is essential too. Tiny mistakes can lead to breaks. Lattice-based approaches have simply not had those years of analysis. Plus, there aren't enough people who understand them right now to do the analysis anyway; after adoption lots of new people will [#] be boning up on or studying lattice math. Third, a bit fuzzy, but I don't like the groups lattice-based systems use, they tend to have too much excess structure. Either that or they take too long. Compared with discreet logarithms or to a lesser extent RSA integer factorisation, whose groups (when people do not use so-called optimisations) have exactly the needed structure and no more, lattice-based groups have structure in unnecessary places, which leads to law 6 based failure: Complex systems provide more places to attack. This is at base the weakness behind three or so (I haven't been keeping close count) of the recent breaks of lattice-based systems. Fourth, none of the lattice-based approaches are as yet in widespread use. As you may gather I am of the opinion that none are as yet suitable for widespread deployment, but that doesn't change the fact that they aren't widely used right now. Which leads to law 8 based failure: A system which is hard to use will be misused, abused and underused. [#] note I say will rather than would - I suspect the tide is moving irresistibly towards some lattice-based approach. But I may be wrong. Peter Fairbrother The laws of secure system design: 0 It's all about who is in control 1 Someone or something else is after the stuff you have 2 Stuff you don't have can't be taken from you 3 Everywhere can be attacked 4 More complex systems provide more places to attack 5 Attack methods are many, varied, ever-changing and eternal 6 Only those you trust can betray you 7 Holes for good guys are holes for bad guys too 8 A system which is hard to use will be misused, abused and underused 9 Security is a Boolean from a future history point of view 10 Two things once publicly linkable cannot be unlinked