Re: QC-proof cipher?

On Tue, 23 May 2006 21:47:52 +0100, Peter Fairbrother <zenadsl6186@xxxxxxxxx> wrote:

Paul Rubin wrote:

Peter Fairbrother <zenadsl6186@xxxxxxxxx> writes:
Does anyone know of a secure symmetric cipher which is known to be
resistant to quantum computation techniques?

"Known"? There isn't even a symmetric cipher "known" to be resistant
to conventional computation techniques, let alone quantum computing.

I realise that. Perhaps I misspoke. If we want to be picky, there is only
one "secure" symmetric cipher too, OTP.

Hi Peter,

One thing I wonder is people always say this about OTP but what
is the difference between OTP and a NULL cipher. ie; OTP is secure
100% provably but if and only if your secure channel you trade
the key on is 100% secure, so you could just send your plaintext
data down the secure channel and dummy data (a pdf of applied
cryptography say <g> ) down the main untrusted channel, surely
it is the same and thus the OTP is worthless (at least under
that defn. ) ??


What are you really asking?

Isn't it obvious? I'm looking for a symmetric cipher (or even a hash)
designed with resistance to QC in mind.

I'd like a reasonable level of assurance. AES level would be good but almost
certainly not available, even hasty-pudding-level would be good - but
designed under the assumption that qc's are available to the attacker.

I'm preferably looking for something around 512 bits key and 512 bits block
size, for long-term future-proofing.

I'm not getting into the question of whether QC's will exist, or when, just
whether anyone has designed a half-decent or better cipher with resistance
to QC techniques in mind.

But what sort of capabilities does you adversary have? What if they
can find a way to elucidate the keys because of other security flaws
in your system ? (If that happened then the "strength" of the cipher
won't matter at all and is a very real possibility, for example if
the key issuing comes from a server that has easy weakness and they
comprimise that machine ....)

I think you could have a good deal of assurance if you invest in some sort
of insurance really. That's what I'd do anyway if it was _that_ important.
You can pay a well-established security firm to do the work for you and
make sure the contract includes full insurance against any damages caused
by compromise of that system for the next fifty years, might cost you
though ;-)

bestwishes
l



--
Peter Fairbrother


--
echo alru_aafriehdab@xxxxxxxxxxxxx |sed 's/\(.\)\(.\)/\2\1/g'
.

Relevant Pages

  • Re: QC-proof cipher?
    ... resistant to quantum computation techniques? ... to conventional computation techniques, let alone quantum computing. ... one "secure" symmetric cipher too, ... is the difference between OTP and a NULL cipher. ...
    (sci.crypt)
  • Re: QC-proof cipher?
    ... is the difference between OTP and a NULL cipher. ... 100% provably but if and only if your secure channel you trade ...
    (sci.crypt)
  • Re: Needle in a haystack--or is this just stupid?
    ... In practice, no OTP ... >> attack better than brute force and that brute force is infeasible. ... > no cipher can be trusted in practice. ... to mixing two unrelated algorithms together. ...
    (sci.crypt)
  • Re: Erasing an OTP file on a SD card.
    ... I implemented One Time Pad under AES 256 bits CBC ... In our system you can't use OTP alone. ... secure than other systems, but in the worst case it has no advantage ...
    (sci.crypt)
  • Re: Needle in a haystack--or is this just stupid?
    ... In practice, no OTP ... >> no cipher can be trusted in practice. ... This is not a new attack model. ...
    (sci.crypt)