Dear PQC forum,
Non-repudiation (of signatures) is threatened by future quantum computers, right?
For example, in some (hypothetical) applications of
digital signatures, signers should not be able repudiate their signatures in
the future. But if a quantum computer arrives, let's say in 2030, signers can
repudiate in 2030 their old RSA and ECC signatures generated in 2021, by
arguing to third parties that the signatures were forged in 2030 with a quantum
computer. Fortunately, PQC can fix this.
Verifiers in 2021 who want to hold the signers to their commitment beyond the
quantum era (e.g. >2030), should already want signers to use PQC signatures
in 2021.
This risk issue seems implicit in Mosca's x+y > z
approach. But I've (mis)heard it said that signatures are not threatened by
future quantum computers.
Details limit the quantum threat to non-repudiation risk,
likely making it much less than the risk to forward secrecy. (1) Non-repudiation of digital signatures is
rarely used, it is a niche application.
(2) Repudiating signers can already claim their devices have been hacked
and keys stolen, which may already be more plausible now than a future quantum
attack. (3) Verifiers can insist that
signers periodically re-sign their messages with the latest algorithms,
eventually migrating to PQC. (4)
Time-stamps, such as a block-chain or official notarization records, if both
quantum-resistant and applied close to signing time, can effectively back-date
signatures, preventing repudiation. (5)
Social traditions, e.g. courts, will probably always contribute more to non-repudiation
than digital signatures do.
Nonetheless, PQC signatures seem somewhat more urgent
than the low risk to real-time authentication (a common digital signature
application) would suggest.
Best regards,
-- Dan
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/4588b8c4-ebc2-4487-aa5d-fb7f1bdd8760n%40list.nist.gov.
--
Why, because SPHINCS+ is as secure as the hash it uses?
Hmm, this raises some further questions:
Is some version of XMSS or LMS usable for non-repudiation signature applications?
Would an (algorithmic) attack on SPHINCS+ imply an attack on other (NIST PQC) signatures?
Some signature schemes can meet narrower security goals (resisting passive universal forgery), regardless of the hash security, but how do the various hash-based signatures fare against the narrower classes of forgers? (Likely, the answer is in the thorough documentation, already.)
I really can't see why anything but SPINCS would ever be used in this
application given the need to survive potential cryptanalysis.
Why, because SPHINCS+ is as secure as the hash it uses?
I never actually looked at SPHINCS+. Is the above proven and verified?
Hmm, this raises some further questions:
Is some version of XMSS or LMS usable for non-repudiation signature applications?
That [non-repudiation] is what the term “digital signature” implies. A specific application may or may not be amenable to the restrictions/peculiarities that LMS/XMSS-type signatures impose on the framework.
Would an (algorithmic) attack on SPHINCS+ imply an attack on other (NIST PQC) signatures?
Why should it?
--