所以要開始開發 CECPQ2 了...

CECPQ1Google 在研究對抗量子電腦的演算法,作為測試用的演算法,曾經在 Google Chrome 的 54 beta 版 (2016 年) 存活過一段時間,最近又開始在開發新一代的演算法 CECPQ2 了,這次會是基於 TLS 1.3 上測試:「CECPQ2」。

CECPQ2 will be moving slowly: It depends on TLS 1.3 and, as mentioned, 1.3 is taking a while. The larger messages may take some time to deploy if we hit middlebox- or server-compatibility issues. Also the messages are currently too large to include in QUIC. But working though these problems now is a lot of the reason for doing CECPQ2—to ensure that post-quantum TLS remains feasible.

目前對抗量子電腦的演算法好像都跟 Lattice 有關,找時間來補一下基礎理論... @_@

Google 測試 CECPQ1 的一些資料...

七月的時候提到「Google Chrome 引入 CECPQ1,開始測試 Post-Quantum Cryptography」,剛剛看到 Adam Langley 寫了一些數據出來:「CECPQ1 results」。

目前看起來對於網路速度不快的使用者會影響比較大,最慢的 5% 使用者大約慢了 20ms,最慢的 1% 使用者會慢 150ms:

Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest 1%, by 150ms. Since NewHope is computationally inexpensive, we're assuming that this is caused entirely by the increased message sizes. Since connection latencies compound on the web (because subresource discovery is delayed), the data requirement of NewHope is moderately expensive for people on slower connections.

由於實驗算是完成了,加上 TLS 已經有規劃了,所以 Google Chrome 打算拔掉這個功能等標準出來:

At this point the experiment is concluded. We do not want to promote CECPQ1 as a de-facto standard and so a future Chrome update will disable CECPQ1 support. It's likely that TLS will want a post-quantum key-agreement in the future but a more multilateral approach is preferable for something intended to be more than an experiment.

Google Chrome 引入 CECPQ1,開始測試 Post-Quantum Cryptography

Quantum Computer 對現有密碼學的衝擊很大,像是 RSA 演算法是基於「質因數分解」的難題而架構出來的系統,在 Quantum Computer 上存在有效率的演算法,也就是 Shor's algorithm

雖然 Quantum Computer 在技術上還沒辦法對現有演算法造成有效的攻擊,但已經有人提出新的演算法來對抗,而 Google 打算在 Google Chrome 裡面引入測試:「Experimenting with Post-Quantum Cryptography」。

Google 也特別說明了,他們不希望這個實驗最後變成 de-facto standard (借測轉出貨的概念),而是希望當作一個開頭,希望之後可以用更好的標準換掉:

We explicitly do not wish to make our selected post-quantum algorithm a de-facto standard. To this end we plan to discontinue this experiment within two years, hopefully by replacing it with something better.