On Fri, 2016-03-04 at 13:49 +0000, Scott Fluhrer (sfluhrer) wrote: > Given that there probably is no long term future for RSA anyway > > > (people want ECC and postquantum is ahead) I doubt anything else > > > than > > > the primitives we already have in standards will ever be viable. > > On the contrary. If we have a future with quantum computers > > available, the > > only thing that we have now and would work is RSA with larger keys, > > not ECC. > RSA isn't *that* much more secure against a Quantum Computer than > ECC. It would appear to take a larger Quantum Computer to break RSA > than it would to break ECC (for reasonable moduli/curve sizes), > however not that much more. It is possible that, at one stage, we'll > be able to build a QC that's just large enough to break EC curves, > but not larger RSA keys - however, we would be likely to be able to > scale up our QC to be a bit larger; possibly in a few months, quite > likely in a year or two. Hence, moving back to RSA would appear > likely to buy us only a short window... > > I agree with Hanno; if we're interested in defending against a > Quantum Computer, post Quantum algorithms are the way to go
Assuming that we have such algorithms which are practical to manage and deploy we would first need to enhance existing protocols with them, including TLS and PKI. Then it is only the (simple) task of upgrading/replacing every single piece of infrastructure we have today from certificates to implementations with the new algorithms. Unless you can use the quantum computer to complete the above transition overnight, the quickest way to defend against the presence of a quantum computer is by allowing larger RSA keys. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
