Date: Sat, 19 Aug 2017 06:55:29 +0000 From: Yawning Angel yawning@schwanenlied.me
On Sat, 19 Aug 2017 04:11:16 -0000 bancfc@openmailbox.org wrote:
Boom headshot! AEZ is dead in the water post quantum:
Paper name: Quantum Key-Recovery on full AEZ
... I'm not seeing your point. Even prior to that paper, AEZ wasn't thought to be quantum resistant in anyway shape or form, and providing quantum resistance wasn't part of the design goals of the primitive, or really why it was being considered at one point for use in Tor.
I would expect AEZ to have essentially the same post-quantum security as, e.g., AES or any other symmetric crypto -- square root speedup by Grover.
However, this paper is not about the conventional notion of post-quantum security -- what is the cost, to an adversary with large a quantum computer, of breaking ordinary users of the cryptosystem? -- but a radically different notion of security for users who inexplicably choose evaluate AEZ in a quantum superposition of inputs and reveal that superposition to an adversary.
It is not surprising that when users abuse their crypto primitives in an astoundingly bizarre way, to reveal quantum superpositions of outputs, the original security claims of the classical crypto primitives go flying out the window!