On Feb 8, 2023, at 8:21 PM, Thomas Braun <tbra...@gmail.com> wrote:
The NIST has recently standardized Ascon for a "lightweight" symmetric cipher scheme. Would the quantum-resistance be similar to the quantum-resistance provided by other symmetric ciphers like AES and ChaCha20Poly1305?
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/6a48cde6-72c9-4e4d-98be-a240110f1759n%40list.nist.gov.
On Feb 9, 2023, at 10:40 AM, Anubhab Baksi <anubha...@ntu.edu.sg> wrote:This paper might be interest to you...? By the way, we have already found some improvements.
Since there is a lifetime of "decades" (assuming the state of the art with respect to public-sector knowledge is indeed state of the art, which it usually isn't) for the security of Ascon128, we should assume that Ascon is not meant for protecting data that requires a longer security lifetime (e.g., social security numbers, military data, bank routing numbers, etc).
And this is the problem with the NIST choice of a winner that does not provide 256-bit key option.
P.S. I understand that some “lightweight” use cases do not need a 256-bit key. But many enough do… NIST, I’m surprised.
On Thursday, February 9, 2023 at 8:49:04 AM UTC-5 Mike Hamburg wrote:
On Feb 9, 2023, at 10:40 AM, Anubhab Baksi <anubha...@ntu.edu.sg> wrote:
This paper might be interest to you...? By the way, we have already found some improvements.
Hi Anubhab,
Yes, this is interesting, though it’s only one piece of the puzzle: an estimate of the cost of running the permutation on a quantum computer.
The other and likely more impactful question is, how many times must an attacker run the permutation, and at what depth, for a brute-force attack to succeed with whatever probability? This is claimed as “2^80” but is it 2^160 / depth, or 2^128 / sqrt(depth), or something else? And how certain are we in those estimates?
I don’t expect that anyone has yet analyzed the security of the permutation itself against quantum attack, but even in the QROM, what are the best attacks / best lower bounds on the mode?
For hashing modes, there is at least some material to start on from Keccak’s evaluation, such as https://eprint.iacr.org/2017/771.pdf, but I’m not familiar with sponge AEAD evaluations to know the state of the art.
Thanks,
— Mike
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/efbb0b1a-2f70-4a50-aa77-b90dd5f16cf9n%40list.nist.gov.