RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

mdb%juniper.net@localhost <mdb%juniper.net@localhost> writes:

>I just noticed that the Information Assurance Directorate at the NSA has a
>new article on 'CNSA Suite and Quantum Computing FAQ' ... their URL is
>
>https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm

My response to this, on the CFRG list, was:

>On the QC stuff. Of course we have to start looking at that now. But I think
>we need to look at the problem on two separate tracks:
>
>1) Find a public key algorithm that resists QC using Shorr's algorithm.
>2) Find a mechanism that makes symmetric key feasible in place of public.

You forgot step 0:

0) Figure out whether any of this stuff is actually necessary

This is just a bunch of random numbers pulled out of thin air, just as Suite B
was in its day, and CCEP was before that.  There's no empirical argument
supporting any of this, just a huge what-if.  For all we know the entire
document could have come about from a barroom bet, "Well Bill, you had them
chasing the Suite B white elephant, Dave got them really good with Dual-EC,
now it's my turn to see how high I can make them jump.  And best of all, TAO
will love me for it because they'll have to throw out most of their already-
deployed, partially-patched-up infrastructure and start again, leading to lots
of new exploitable mistakes and errors".

If you're worried about QC, why aren't you worried about TWINKLE/TWIRL, which
is at least as feasible, if not more so, than QC, and has been around much
longer?

If the NSA wants to put forward a new white elephant to supplant Suite B and
the rest, hand them a can of paint and point them at the nearest zoo.  In the
meantime I'll stick with addressing problems that are actual problems, there's
more than enough of those to go round.

Peter.