BSI Status of quantum computer development - Entwicklungsstand Quantencomputer
John Mattsson
Hi,
German Bundesamt für Sicherheit in der Informationstechnik
(BSI) recently published an update to the excellent report “Status of quantum computer development - Entwicklungsstand Quantencomputer”. I think this is very likely the best and most up to date overview of quantum computer and quantum algorithm development
focusing on cryptography. A lot of details but not so many conclusions expect that development of any CRQC will take at least one decade and more likely two.
Two decades is not a lot of time and BSI encourages rapid migration to post-quantum cryptography: ”From the BSI's point of view, the question of "if" or "when" there will be quantum computers is no longer paramount. First post-quantum algorithms have been selected by NIST for standardisation and post-quantum cryptography will be used by default. Therefore, the migration to post-quantum cryptography should be pushed forward.”
Cheers,
John Preuß Mattsson
Wrenna Robson
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB967848982DB9EAE80CB71C6689B2A%40GVXPR07MB9678.eurprd07.prod.outlook.com.
John Mattsson
Hi Wrenna,
Yes, BSI started recommending FrodoKEM and Classic McEliece in 2020 and that is still the recommendation:
“Recommended Mechanisms: The key exchange mechanisms FrodoKEM-976 and FrodoKEM-1344 ([5, Section 2.5]) as well as Classic McEliece with the parameters mceliece460896, mceliece6688128 and mceliece8192128 as well as their corresponding variants mceliece460896f, mceliece6688128f and mceliece8192128f [3, Section 7] are assessed to be cryptographically suitable to protect confidential information on a long-term basis at the security level aimed at in this Technical Guideline. This is a very conservative assessment that includes a significant margin of security with respect to future cryptanalytic advances. It is possible that in future revisions of this guideline other parameter choices and PQC mechanisms may also be deemed technically suitable.
FrodoKEM will not be standardised as part of NIST’s PQC project. This is mainly due to considerations of the efficiency of the mechanism, there are currently no doubts about its security [2]. Classic McEliece was included in the fourth round of the NIST project and could possibly be standardised at the end of the project. The BSI therefore maintains the recommendation of FrodoKEM and Classic McEliece as PQC mechanisms with a high security margin against future attacks. More details can be found in the BSI-guide “Quantum-safe cryptography” [37].
In Chapter 6, the hash-based signature mechanisms XMSS and LMS as well as their multi-tree variants, which are considered quantum computer-resistant according to current knowledge, are recommended.
At this time, no further post-quantum mechanisms are recommended in this Technical Guideline. About a possible adoption of the mechanisms selected for standardisation by NIST in July 2022 (see [2]) into the Technical Guideline will only be decided after publication of the draft standards.”
As stated in the January 2023 edition of BSI TR-02102-1, BSI will make a decision on possible adoption on the mechanism standardized by NIST. I don’t know what that decision will be, but I hope that BSI aligns with France, The Netherlands, and the UK and recommend ML-KEM and ML-DSA. The Netherland also recommended FrodoKEM and Classic McEliece in 2022 but are now recommending ML-KEM and ML-DSA (FrodoKEM and Classic McEliece are no longer recommended). I hope that with open-access NIST algorithms available, BSI stops recommending non-standardized and paywalled algorithms, which clearly are a cybersecurity risk. If any European country would like to continue recommending FrodoKEM they should drive for publication as an RFC.
Cheers,
John Preuß Mattsson
Simon Hoerder
On 14 Nov 2023, at 13:37, Wrenna Robson <wren....@gmail.com> wrote:
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CANuKc3jZ3c6mR0g6tFvSDHt5DeWqQx_hPxBwoDQEYY-fRAe-iQ%40mail.gmail.com.
Wrenna Robson
Wrenna Robson
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/F1575050-5EB2-462A-A3CB-C61DC24262A1%40hoerder.net.
John Mattsson
Hi Wrenna,
All current ISO standards are paywalled and as stated several times on this forum, ISO is planning to standardize Classic McEliece and FrodoKEM. Unless ISO realizes that paywalled security standards are a security risk I assume future ISO standards of Classic
McEliece and FrodoKEM will also be paywalled.
Yes, NIST is still considering standardizing Classic McEliece and an internet draft (draft-josefsson-mceliece-00) was recently published.
FrodoKEM and McEliece specifications are available from the NIST PQC project website but deploying non-standardized cryptography is typically not a good idea.
Wrenna Robson
Kris Kwiatkowski
IMHO, such fragmentation may also have
negative impact on overall adoption of PQ schemes.
Regarding FrodoKEM, indeed standardization in ISO is done behind
closed doors, but
it is worth to note that the frodokem.org has a new release of
the algorithm spec [1].
The page says it is a "FrodoKEM Preliminary Standardization
Proposal (submitted to ISO)".
It gets some idea what's going on behind those "closed doors".
I've looked at it some time ago and it seems very similar to
FrodoKEM from NIST PQC Round3,
but it does have some additional parametrisation.
[1]
https://frodokem.org/files/FrodoKEM-standard_proposal-20230314.pdf
Best,
---
Kris Kwiatkowski Staff Cryptography Architect PQShield, LTD
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CANuKc3hfQOk0aAuYmEMb5O5TZ%2B%3DecSA%3DZHmbJj62Cy3tQ5whTw%40mail.gmail.com.
Ira McDonald
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: bluero...@gmail.com
(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/d0c6328d-bda6-41b6-ab7d-d473fa9eb546%40amongbytes.com.
Anjan Roy
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/d0c6328d-bda6-41b6-ab7d-d473fa9eb546%40amongbytes.com.
Constantinos Valakas
Dear John & all,
Per your feedback:
>All current ISO standards are paywalled and as stated several times on this forum, ISO is planning to standardize Classic McEliece and FrodoKEM. Unless ISO realizes that paywalled >security standards are a security risk I assume future ISO standards of Classic McEliece and FrodoKEM will also be paywalled.
Do you know by any chance if ISO has already registered any draft versions on McEliece and FrodoKEM? And if there are the corresponding website links?
For example, for QKD the corresponding link (this is an official standard though): https://www.iso.org/standard/77097.html
Thank you in advance,
Costas.
Stanchion Payments | Senior Solutions Consultant
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov>
On Behalf Of Anjan Roy
Sent: Tuesday, November 14, 2023 4:32 PM
To: Kris Kwiatkowski <kr...@amongbytes.com>
Cc: pqc-...@list.nist.gov
Subject: Re: [pqc-forum] BSI Status of quantum computer development - Entwicklungsstand Quantencomputer
|
You don't often get email from anjan...@gmail.com. Learn why this is important |
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CANhqc%2BNkm3Qs_JMvTejatDk4b7bh_u4qE9DKEL15dkTo2wqStA%40mail.gmail.com.
Notice: This communication contains information that may be privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and delete this communication.
John Mattsson
Dear Costas,
As discussed in this forum there are ISO draft versions of McEliece and FrodoKEM. I am quite sure there is no public information. ISO is a very secret organisation out of touch with the modern world. People engaging in ISO are even forbidden to discuss anything in public. I think it would be beneficial for global cybersecurity and democracy if ISO stopped producing paywalled security standards.
According to the FrodoKEM and Classic McEliece teams the following documents were submitted to ISO:
https://classic.mceliece.org/iso-mceliece-20230419.pdf
https://frodokem.org/files/FrodoKEM-standard_proposal-20230314.pdf
>For example, for QKD the corresponding link
QKD is completely useless for any non-military use cases. Not only is QKD very expensive and inflexible, practical implementations are not secure at all. Trusted relays are the complete opposite of current best practice for how to build modern infrastructure. If the availability and side-channel problems are solved in the future it could maybe make sense to use point-to-point QKD as a defense-in-depth measure in militarty applications where cost is not relevant. QKD can theoretically be used together with a pre-shared key to get information theoretical security. Alternatively, you could use QKD, a pre-shared key, and a symmetric cipher to create a system that do not rely on asymmetric cryptography but still provides PFS. But even in military use cases, I think a hybrid system using KEMs based on different mathematical problems (ECC + ML-KEM + Classic McEliece + CSIDH) would be a better, cheaper, and practically more secure choice.
(My current understanding is that the availability and side-channel issues are fundamentally tied to QKD and will not be solved).
Cheers,
John Preuß Mattsson
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/VI1PR10MB315237C13242AA1725E0F9E09FB1A%40VI1PR10MB3152.EURPRD10.PROD.OUTLOOK.COM.
Constantinos Valakas
Thank you very much, John for the feedback provided, also in QKD.
I totally agree that the way ISO works does not help much with all this secrecy. I hope that this will change in the future.
Regarding QKD, although off-topic, as it stands now is not a practical solution for commercial use, indeed.
Best regards,
Costas.
Blumenthal, Uri - 0553 - MITLL
On Nov 15, 2023, at 07:26, Constantinos Valakas <Constantin...@stanchionpayments.com> wrote:
This Message Is From an External SenderThis message came from outside the Laboratory.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/VI1PR10MB3152646C749B79188465A4AC9FB1A%40VI1PR10MB3152.EURPRD10.PROD.OUTLOOK.COM.
Jarek Duda
Bas Westerbaan
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/b9ce9c0f-25fa-4577-9b54-65160925d153n%40list.nist.gov.
Jarek Duda
Indeed, development could stall or speed up.But these two-way quantum computers are most likely not real. [1]Best,BasOn Thu, Nov 16, 2023 at 3:27 AM Jarek Duda <dud...@gmail.com> wrote:Two decades to break the current cryptography assuming there is a stable evolution of current quantum computing technologies, without some large breakthroughs - but what if there are some surprises behind a corner?Is there maybe a list of considered hypothetical breakthroughs which might shorten this time?One I am aware of are two-way quantum computers (2WQC) enhancement: we influence standard electronics from both directions - pushing electrons into a chip, and simultaneously pulling from for better flow control.If reaching such two-way control for any quantum computing technology, in theory they could attack NP problems (postBQP with postselection as physical constraints).Below is proposed for photonic QC using laser impulse as state preparation. Using ring laser for this purpose and enclosing into a loop like below, from perspective of CPT symmetry photon trajectories are reversed - doing exactly as state preparation, but to the original final state.
On Tuesday, November 14, 2023 at 1:25:45 PM UTC+1 John Mattsson wrote:
Hi,
German Bundesamt für Sicherheit in der Informationstechnik (BSI) recently published an update to the excellent report “Status of quantum computer development - Entwicklungsstand Quantencomputer”. I think this is very likely the best and most up to date overview of quantum computer and quantum algorithm development focusing on cryptography. A lot of details but not so many conclusions expect that development of any CRQC will take at least one decade and more likely two.
Two decades is not a lot of time and BSI encourages rapid migration to post-quantum cryptography: ”From the BSI's point of view, the question of "if" or "when" there will be quantum computers is no longer paramount. First post-quantum algorithms have been selected by NIST for standardisation and post-quantum cryptography will be used by default. Therefore, the migration to post-quantum cryptography should be pushed forward.”
Cheers,
John Preuß Mattsson