Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Peter Gutmann
Phillip Hallam-Baker writes: >Quantum Annoyance: I thought a Quantum Annoyance was someone who keeps banging on about imaginary attacks that don't exist as a means of avoiding having to deal with actual attacks that have been happening for years without being addressed. Peter. ___

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Bas Westerbaan
> > That is not the only model of quantum computing. If it was, I would be > saying this entire effort is a silly waste of time because the approach is > fundamentally unscalable. They can throw lots of gates onto a chip but the > entanglement collapses before they can be used. > The whole point o

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Sofía Celi
Dear, all, Late to reply to some emails. I was just travelling ;) > I am now thinking in terms of 'Post Quantum Hardened" and "Post Quantum > Qualified". Hardening a system so it doesn't completely break under QCC > is a practical near term goal. Getting to a fully qualif

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Sofía Celi
Dear, all, On 06/08/2022 07:15, Benjamin Kaduk wrote: On Fri, Aug 05, 2022 at 07:16:06PM -0700, Rob Sayre wrote: On Fri, Aug 5, 2022 at 5:16 PM Sofía Celi wrote: There is a notion of being 'quantum annoyant' to a quantum computer: I've encountered the term "quantum annoyant" a few times.

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Sofía Celi
Dear, all, On 06/08/2022 13:00, Rob Sayre wrote: On Fri, Aug 5, 2022 at 10:15 PM Benjamin Kaduk > wrote: It's annoying to the attacker when they have to use their expensive and finicky hardware once (or multiple times) for each individual message/excha

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Phillip Hallam-Baker
On Sun, Aug 7, 2022 at 3:52 AM Peter Gutmann wrote: > Phillip Hallam-Baker writes: > > >Quantum Annoyance: > > I thought a Quantum Annoyance was someone who keeps banging on about > imaginary > attacks that don't exist as a means of avoiding having to deal with actual > attacks that have been ha

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Phillip Hallam-Baker
On Sun, Aug 7, 2022 at 11:53 AM Sofía Celi wrote: > Dear, all, > > Late to reply to some emails. I was just travelling ;) > > > > I am now thinking in terms of 'Post Quantum Hardened" and "Post > > Quantum > > > Qualified". Hardening a system so it doesn't completely break > > u

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Blumenthal, Uri - 0553 - MITLL
> > I thought a Quantum Annoyance was someone who keeps banging on about > > imaginary > > attacks that don't exist as a means of avoiding having to deal with actual > > attacks that have been happening for years without being addressed. > > That is a little unfair but only a little. I don't thin

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Phillip Hallam-Baker
On Sun, Aug 7, 2022 at 1:31 PM Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote: > > > KGB doctrine was always that every communication be secured by two > independent technologies > > using separate principles.. > > I'm sorry to disappoint you, but the above is simply untrue. > Read Victo

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Scott Fluhrer (sfluhrer)
> -Original Message- > From: TLS On Behalf Of Blumenthal, Uri - 0553 - > MITLL > Sent: Sunday, August 7, 2022 1:32 PM > To: Phillip Hallam-Baker > Cc: TLS@ietf.org > Subject: Re: [TLS] Before we PQC... Re: PQC key exchange sizes > > > > I thought a Quantum Annoyance was someone who keeps

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Rob Sayre
On Sun, Aug 7, 2022 at 1:59 PM Scott Fluhrer (sfluhrer) wrote: > > Actually, we came up with the concept while evaluating PAKEs for the CFRG, > and in the that context, it makes sense. The problem is that the term "Quantum Annoyance" is an equivocation. > you're still "mostly safe". > Like

Re: [TLS] Before we PQC... Re: PQC key exchange sizes

2022-08-07 Thread Stephen Farrell
Hiya, On 07/08/2022 21:58, Scott Fluhrer (sfluhrer) wrote: Hence, what we are proposing is no less secure than what we are currently doing now. Well, except there'll be a whole pile of new code, which is a fine way to be less secure. Now for key establishment that's not too bad perhaps, but

Re: [TLS] [Technical Errata Reported] RFC8446 (7073)

2022-08-07 Thread Martin Thomson
This is correct, though I would have extended this to say ", except for post-handshake authentication, which uses keys derived from the current [sender]_application_traffic_secret_N." or similar. On Sat, Aug 6, 2022, at 23:03, RFC Errata System wrote: > The following errata report has been submi