More on the RSA crack by new quantum approach paper

Peter Fairbrother peter at tsto.co.uk
Mon Jan 9 08:24:57 PST 2023 

On 09/01/2023 06:20, David Barrett wrote:
> On Sun, Jan 8, 2023, 7:37 PM Peter Fairbrother <peter at tsto.co.uk 
> <mailto:peter at tsto.co.uk>> wrote:
> 
>     There are no widespread supposed-to-be-QR asymmetric algorithms that I
>     would trust right now.
> 
> 
> None of the lattice based approaches?  I'm curious why not?

First, recently proposed lattice-based algorithms have been falling like 
flies. Doesn't give one much confidence.



Second, Schneier's Law:

"Anyone, from the most clueless amateur to the best cryptographer, can 
create an algorithm that he himself can't break. It's not even hard. 
What is hard is creating an algorithm that no one else can break, even 
after years of analysis. And the only way to prove that is to subject 
the algorithm to years of analysis by the best cryptographers around."

It's not just years of analysis of the algorithm which is required, 
years of analysis of the implementation is essential too. Tiny mistakes 
can lead to breaks.

Lattice-based approaches have simply not had those years of analysis.

Plus, there aren't enough people who understand them right now to do the 
analysis anyway; after adoption lots of new people will [#] be boning up 
on or studying lattice math.




Third, a bit fuzzy, but I don't like the groups lattice-based systems 
use, they tend to have too much excess structure. Either that or they 
take too long.

Compared with discreet logarithms or to a lesser extent RSA integer 
factorisation, whose groups (when people do not use so-called 
optimisations) have exactly the needed structure and no more, 
lattice-based groups have structure in unnecessary places, which leads 
to law 6 based failure:  Complex systems provide more places to attack.

This is at base the weakness behind three or so (I haven't been keeping 
close count) of the recent breaks of lattice-based systems.




Fourth, none of the lattice-based approaches are as yet in widespread 
use. As you may gather I am of the opinion that none are as yet suitable 
for widespread deployment, but that doesn't change the fact that they 
aren't widely used right now. Which leads to law 8 based failure: A 
system which is hard to use will be misused, abused and underused.



[#] note I say will rather than would - I suspect the tide is moving 
irresistibly towards some lattice-based approach. But I may be wrong.


Peter Fairbrother


The laws of secure system design:


0 It's all about who is in control

1 Someone or something else is after the stuff you have

2 Stuff you don't have can't be taken from you

3 Everywhere can be attacked

4 More complex systems provide more places to attack

5 Attack methods are many, varied, ever-changing and eternal

6 Only those you trust can betray you

7 Holes for good guys are holes for bad guys too

8 A system which is hard to use will be misused, abused and underused

9 Security is a Boolean from a future history point of view

10 Two things once publicly linkable cannot be unlinked

More information about the cypherpunks mailing list