Re: RSA and Quantum

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 17, 2024 at 5:10 PM Dr. Neal Krawetz <ietf=40hackerfactor.com@xxxxxxxxxxxxxx> wrote:
Hi folks,

TL;DR: Is anyone working on the "RSA will be deprecated, making DKIM and other protocols broken" issue?

Longer decription of the problem:

The talk in the crypto community is that RSA will become deprecated when quantum crypto becomes accepted as a standard.
This could be in a year or a decade, but it's coming.  (Not "if", only "when".)

Or it could be never. At this point there are no quantum computers, only science experiments. As a former experimental physicist, I am probably better informed on the prospects than most in the cryptography community.

At this point, we still don't really know what superconductivity is and whether it is actually a quantum effect we are seeing in these super cold qbits or a macro effect mimicking a quantum effect. Nor do we know whether quantum states can stack to infinite degree. All these things are worth investigating.

Superconducting quantum machines are clearly a dead end, the approach does not scale, while you can pile up the qbits, the number of quantum operations you can perform is still horribly limited. And doubling the computation capability is tending to double the cost. Trapped ion machines are scalable in theory but unbuilt in practice. The problem being that regardless of how slow progress is, from this point on we always have to accept the possibility technology advances to the point where building one is practical within a decade. And since that is an Eschaton level threat, we have to take it seriously.

When this happens, a lot of standards rely on RSA and they will need to update.

I'm currently looking at DKIM (for email; RFC 6376).
DKIM uses RSA for signing emails.
DKIM uses DNS to host the public keys.

DKIM is an authentication technology so we don't actually need to be concerned with pre-planning as we do with stored data. It is also an anti-abuse scheme. Even if someone does build a quantum computer, the chance that it will be cheap enough to run to bypass anti-spam technology is vanishingly small. Malicious actors equipped with quantum computers will have much more profitable targets. The EMV card payment systems for example.

It is also a pretty simple fix, instead of putting the public key in the DNS, you put the SHA-2/3-512 hash of the key in the DNS and put the public key in the signature block.

If I was going to be concerned about quantum proofing an IETF authentication protocol, DNSSEC would be a much bigger priority for me.


Given how far the telephone system has fallen in the past few years with VOIP based robocalling abuse, I will be very surprised if we are using the legacy phone system in ten years time. Any replacement will have to have access control built into the infrastructure. And if we have that for voice and video, we will use it for messaging, mail and large file transfer as well.

I can't be the only person who has designed such a protocol, surely. All we need to do is connect up the Mesh contact book and presence system to MOQ and we have an open service voice/video system capable of replacing the telephone system. The only reason the telephone system is still standing is that all the WebRTC based alternatives are proprietary walled gardens which don't offer the equivalent of telephone number portability.

Just finished the GUI client for the Mesh phase 1 functionality and presented it at HOPE 2024. 


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux