Benjamin Mord [ARCHIVE] on Nostr: 📅 Original date posted:2018-05-08 📝 Original message: Sorry, I do not wish to ...
📅 Original date posted:2018-05-08
📝 Original message:
Sorry, I do not wish to spam the list, but I need to correct a rather
serious error in my last email. We must never call something
"post-quantum", absent mathematical proof. (And good luck with that.) I
apologise for my mistake in doing so myself.
I should not even refer to lattice based cryptography as a post-quantum
algorithm, I should at best call it a Shor's algorithm-resistant scheme. At
least, it is not (yet) known how Shor's algorithm could be used to break
it. Not in public circles, anyhow.
A cursory glance at the history of cryptanalysis shows that primitives
generally have finite life, which makes it odd that systems seldom use
redundant primitives, and seldom provide for their rapid and safe swap. A
system whose entire security rests on nothing but cryptography, ought to
take particular care! The spectre of quantum computers may render the
finite life of certain primitives more salient than others, but we must not
suppose that, absent Shor's algorithm, there would be no need to plan for
cryptographic failures. The question is not if, but when, Bitcoin and
lightning will contend with broken primitives, whether due to classical or
quantum cryptanalysis. Likely, both will come into play at various times,
and one must plan accordingly.
On Tue, May 8, 2018, 9:09 AM Benjamin Mord <ben at mord.io> wrote:
>
> That would be awesome. Do you have a reference?
>
> As pertains to the whole of asymmetric cryptography, I believe there are
> not a variety of post quantum schemes, there is only one*: lattice-based
> cryptography. (Which scares me, because it is not all that different from
> the others.)
>
> (* Actually, in contexts where time can be used for asymmetry, as in
> TESLA, we can then use hash functions to create something like asymmetric
> signatures as well. But the functional context has to be compatible with
> delayed verification.)
>
> (But I do not mean to focus exclusively on Schor's algorithm, the history
> of even pre-quantum cryptanalysis shows that primitives tend to have finite
> lifespan. Redundancy of any sort of good, even when not focused
> specifically on quantum risks.)
>
> On Tue, May 8, 2018, 8:58 AM Greg Sanders <gsanders87 at gmail.com> wrote:
>
>> From what I understand talking to folks, the linear properties of these
>> signature tricks are maintained under a number of post-quantum schemes.
>>
>> On Tue, May 8, 2018 at 8:44 AM, Benjamin Mord <ben at mord.family> wrote:
>>
>>>
>>> If I'm not mistaken, the scriptless scripts concept (as currently
>>> formulated) falls to Schor's algorithm, and at present there is no
>>> alternative implementation of the concept to fall back on. Correct? Lest we
>>> build a house of cards, I'd strongly urge everyone to not depend on
>>> functional concepts whose underlying cryptographic primitives cannot be
>>> swapped in an emergency.
>>>
>>> Sure, we use ecdsa for example (which is also vulnerable to Schor's
>>> algorithm), but in contrast to scriptless scripts we have a variety of
>>> backup primitives at our disposal that fulfill the same functional
>>> objective.
>>>
>>> If scriptless scripts are found possible under lattice-based
>>> cryptography for example, that would be something I suppose. The functional
>>> concept of scriptless scripts is indeed very awesome - we just need to add
>>> some cryptographic conservatism before we build on it.
>>>
>>>
>>> _______________________________________________
>>> Lightning-dev mailing list
>>> Lightning-dev at lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180508/664c63d0/attachment-0001.html>
📝 Original message:
Sorry, I do not wish to spam the list, but I need to correct a rather
serious error in my last email. We must never call something
"post-quantum", absent mathematical proof. (And good luck with that.) I
apologise for my mistake in doing so myself.
I should not even refer to lattice based cryptography as a post-quantum
algorithm, I should at best call it a Shor's algorithm-resistant scheme. At
least, it is not (yet) known how Shor's algorithm could be used to break
it. Not in public circles, anyhow.
A cursory glance at the history of cryptanalysis shows that primitives
generally have finite life, which makes it odd that systems seldom use
redundant primitives, and seldom provide for their rapid and safe swap. A
system whose entire security rests on nothing but cryptography, ought to
take particular care! The spectre of quantum computers may render the
finite life of certain primitives more salient than others, but we must not
suppose that, absent Shor's algorithm, there would be no need to plan for
cryptographic failures. The question is not if, but when, Bitcoin and
lightning will contend with broken primitives, whether due to classical or
quantum cryptanalysis. Likely, both will come into play at various times,
and one must plan accordingly.
On Tue, May 8, 2018, 9:09 AM Benjamin Mord <ben at mord.io> wrote:
>
> That would be awesome. Do you have a reference?
>
> As pertains to the whole of asymmetric cryptography, I believe there are
> not a variety of post quantum schemes, there is only one*: lattice-based
> cryptography. (Which scares me, because it is not all that different from
> the others.)
>
> (* Actually, in contexts where time can be used for asymmetry, as in
> TESLA, we can then use hash functions to create something like asymmetric
> signatures as well. But the functional context has to be compatible with
> delayed verification.)
>
> (But I do not mean to focus exclusively on Schor's algorithm, the history
> of even pre-quantum cryptanalysis shows that primitives tend to have finite
> lifespan. Redundancy of any sort of good, even when not focused
> specifically on quantum risks.)
>
> On Tue, May 8, 2018, 8:58 AM Greg Sanders <gsanders87 at gmail.com> wrote:
>
>> From what I understand talking to folks, the linear properties of these
>> signature tricks are maintained under a number of post-quantum schemes.
>>
>> On Tue, May 8, 2018 at 8:44 AM, Benjamin Mord <ben at mord.family> wrote:
>>
>>>
>>> If I'm not mistaken, the scriptless scripts concept (as currently
>>> formulated) falls to Schor's algorithm, and at present there is no
>>> alternative implementation of the concept to fall back on. Correct? Lest we
>>> build a house of cards, I'd strongly urge everyone to not depend on
>>> functional concepts whose underlying cryptographic primitives cannot be
>>> swapped in an emergency.
>>>
>>> Sure, we use ecdsa for example (which is also vulnerable to Schor's
>>> algorithm), but in contrast to scriptless scripts we have a variety of
>>> backup primitives at our disposal that fulfill the same functional
>>> objective.
>>>
>>> If scriptless scripts are found possible under lattice-based
>>> cryptography for example, that would be something I suppose. The functional
>>> concept of scriptless scripts is indeed very awesome - we just need to add
>>> some cryptographic conservatism before we build on it.
>>>
>>>
>>> _______________________________________________
>>> Lightning-dev mailing list
>>> Lightning-dev at lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180508/664c63d0/attachment-0001.html>