We can't trust RSA to encrypt our Emails so what is best post-quantum cryptography system as alternative for RSA which provide good security and don't be breakable? because McEliece cryptosystem looks break with 2^60.55 bit operations..
Asked
Active
Viewed 1,627 times
2
-
1You'll need a source for your McEliece statement. I'd expect the number of operations to depend on key sizes. If you're willing to use a large key, you should be able to reach any security level you like. – CodesInChaos Dec 07 '12 at 11:14
-
1Related question: What is the post-quantum cryptography alternative to Diffie-Hellman? – CodesInChaos Dec 07 '12 at 12:31
1 Answers
4
My impression is that there is no production ready post quantum scheme ATM.
NTRU seems to be decent (complete spec, reasonable parameter-sizes and performance), but I think it's patented. No idea about the licensing terms.
But whatever scheme you choose, don't use it instead of a conventional scheme(RSA, DH, ECDH) but in addition to a conventional scheme. If you use a good construction, your protocol will be as secure as the stronger of the schemes.
CodesInChaos
- 24,841
- 2
- 89
- 128
-
1Hasn't NTRU been broken several time by Faugère's work on Gröbner basis ? – Alexandre Yamajako Dec 07 '12 at 11:48
-
@AlexandreYamajako No idea. I don't really trust any of these new schemes, that's why I recommended using it in addition to a conventional scheme. – CodesInChaos Dec 07 '12 at 12:16
-
@CodeInChaos what construction were you thinking about ? I don't think composition is a terrible idea but there are exemples in which it breaks. Maybe pick $r$ at random then $m_0\gets r\oplus m$ and $m_1 \gets r$ ? – Alexandre Yamajako Dec 07 '12 at 13:38
-
@AlexandreYamajako The choice of construction depends on the application requirements. But if you just need a symmetric key, you could for example choose two random keys, encrypt each one with a different scheme, and use the hash of both as your symmetric key. – CodesInChaos Dec 07 '12 at 13:39
-
1Or you could avoid avoid needing to rely on "random oracle"ness of the hash, and $\hspace{1.4 in}$ just use the xor of both as your symmetric key. $:$ – Dec 07 '12 at 22:41
-
NTRU is about as good as it gets right now. For certain parameters it has been broken; but picking the "wrong" IV for certain cyphers breaks them too. As NTRU receives further scrutiny it's likely to be broken again, and fixed again until it's a quality ready to replace DSA, RSA, and EC. Quantum computers are only up to 4-bits, and I estimate the 1024-bit RSA we use today is safe for another ~8 years. It doesn't hurt to plan for the inevitably though. NTRU is patented, but they've been very permissive, including openly offering cross-patent licensing (a reasonable and defensive stance). – Chris S Dec 10 '12 at 15:10
-