Non-repudiation threatened by future quantum attacks?

[Dan Brown]

Dear PQC forum,

Non-repudiation (of signatures) is threatened by future quantum computers, right?

For example, in some (hypothetical) applications of digital signatures, signers should not be able repudiate their signatures in the future. But if a quantum computer arrives, let's say in 2030, signers can repudiate in 2030 their old RSA and ECC signatures generated in 2021, by arguing to third parties that the signatures were forged in 2030 with a quantum computer.  Fortunately, PQC can fix this. Verifiers in 2021 who want to hold the signers to their commitment beyond the quantum era (e.g. >2030), should already want signers to use PQC signatures in 2021.

This risk issue seems implicit in Mosca's x+y > z approach. But I've (mis)heard it said that signatures are not threatened by future quantum computers.

Details limit the quantum threat to non-repudiation risk, likely making it much less than the risk to forward secrecy.  (1) Non-repudiation of digital signatures is rarely used, it is a niche application.  (2) Repudiating signers can already claim their devices have been hacked and keys stolen, which may already be more plausible now than a future quantum attack.  (3) Verifiers can insist that signers periodically re-sign their messages with the latest algorithms, eventually migrating to PQC.  (4) Time-stamps, such as a block-chain or official notarization records, if both quantum-resistant and applied close to signing time, can effectively back-date signatures, preventing repudiation.  (5) Social traditions, e.g. courts, will probably always contribute more to non-repudiation than digital signatures do.

Nonetheless, PQC signatures seem somewhat more urgent than the low risk to real-time authentication (a common digital signature application) would suggest.

Best regards,

-- Dan

​​​​​

[Funda Secgin]

Merhaba

Her türlü imza ve desteğe hazırız tüm yayınlarında hem gerçekçi olarak hemde sanal ortamda her türlü soruşturma veri de ki imzalara açığım

fs

29 Tem 2021 Per ÖS 11:41 tarihinde 'Dan Brown' via pqc-forum <pqc-...@list.nist.gov> şunu yazdı:

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/4588b8c4-ebc2-4487-aa5d-fb7f1bdd8760n%40list.nist.gov.

[Watson Ladd]

On Thu, Jul 29, 2021 at 1:41 PM 'Dan Brown' via pqc-forum
<pqc-...@list.nist.gov> wrote:
>
> Dear PQC forum,
>
> Non-repudiation (of signatures) is threatened by future quantum computers, right?
>
> For example, in some (hypothetical) applications of digital signatures, signers should not be able repudiate their signatures in the future. But if a quantum computer arrives, let's say in 2030, signers can repudiate in 2030 their old RSA and ECC signatures generated in 2021, by arguing to third parties that the signatures were forged in 2030 with a quantum computer. Fortunately, PQC can fix this. Verifiers in 2021 who want to hold the signers to their commitment beyond the quantum era (e.g. >2030), should already want signers to use PQC signatures in 2021.
>
> This risk issue seems implicit in Mosca's x+y > z approach. But I've (mis)heard it said that signatures are not threatened by future quantum computers.
>
> Details limit the quantum threat to non-repudiation risk, likely making it much less than the risk to forward secrecy. (1) Non-repudiation of digital signatures is rarely used, it is a niche application. (2) Repudiating signers can already claim their devices have been hacked and keys stolen, which may already be more plausible now than a future quantum attack. (3) Verifiers can insist that signers periodically re-sign their messages with the latest algorithms, eventually migrating to PQC. (4) Time-stamps, such as a block-chain or official notarization records, if both quantum-resistant and applied close to signing time, can effectively back-date signatures, preventing repudiation. (5) Social traditions, e.g. courts, will probably always contribute more to non-repudiation than digital signatures do.

I really can't see why anything but SPINCS would ever be used in this
application given the need to survive potential cryptanalysis.

Sincerely,
Watson Ladd
>

--
Astra mortemque praestare gradatim

[Phillip Hallam-Baker]

This is one of the very few problems that blockchain actually solves. It was the problem Haber and Stornetta addressed in their 1990 patent.

Provided the signature scheme is secure at the time the signature is enrolled, the signature remains non-repudiable even if the private key is disclosed.

Contrary to certain ideological claims, it is not necessary to use 'proof of waste' or burn as much electricity as Argentina to achieve finalization of the chain and prevent the notary defecting. Cross notarization addresses this problem. The scheme I propose in the Mathematical Mesh involves a mesh of cross notarization exchanges that have the effect of making every user their own ultimate source of notary authority.

--

[Dan Brown]

Why, because SPHINCS+ is as secure as the hash it uses?

Hmm, this raises some further questions:

Is some version of XMSS or LMS usable for non-repudiation signature applications?

Would an (algorithmic) attack on SPHINCS+ imply an attack on other (NIST PQC) signatures?

Some signature schemes can meet narrower security goals (resisting passive universal forgery), regardless of the hash security, but how do the various hash-based signatures fare against the narrower classes of forgers?  (Likely, the answer is in the thorough documentation, already.)

[Blumenthal, Uri - 0553 - MITLL]

I really can't see why anything but SPINCS would ever be used in this
application given the need to survive potential cryptanalysis.

Why, because SPHINCS+ is as secure as the hash it uses?

I never actually looked at SPHINCS+. Is the above proven and verified?

Hmm, this raises some further questions:

Is some version of XMSS or LMS usable for non-repudiation signature applications?

That [non-repudiation] is what the term “digital signature” implies. A specific application may or may not be amenable to the restrictions/peculiarities that LMS/XMSS-type signatures impose on the framework.

Would an (algorithmic) attack on SPHINCS+ imply an attack on other (NIST PQC) signatures?

Why should it?

[伊藤忠彦]

>> Nonetheless, PQC signatures seem somewhat more urgent than the low risk to real-time authentication (a common digital signature application) would suggest.

LTANS is another approach. 

Evidence Record Syntax (RFC4998) enables users to renew timestamps.

<https://datatracker.ietf.org/doc/html/rfc4998>

It is also possible to change timestamp algorithms.

The signed object of the new timestamp includes old timestamped data and information to verify. It is kind of similar with block-chain, but I am not calling that block-chain.

So If the user were using ERS, the user can update the cryptographic algorithm to PQC, by changing timestamping algorithms.

Our company has been providing long-term data preserving service with ERS, and believing migration to PQC is not that urgent.  

There are other ways to renew protecting signature algorithms also.

I believe secrecy of the data is most urgent.

Regards Tadahiko Ito

SECOM CO., LTD.

2021年7月30日(金) 5:41 'Dan Brown' via pqc-forum <pqc-...@list.nist.gov>:

--