On Sat, Aug 06, 2022 at 02:40:37PM -0400, Phillip Hallam-Baker wrote: > On Sat, Aug 6, 2022 at 1:53 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > > On 06/08/2022 17:47, Phillip Hallam-Baker wrote: > > > Are you proposing pure Kyber or a hybrid though? > > > > I've not heard anyone suggest securing an IETF protocol > > only via PQC algs. It'd be incredibly dim to make that > > suggestion IMO, esp now that two of the 3rd round entries > > have been busted. So I'm not worried that we'd even come > > close to landing there for TLS.
I remember hearing proposals to use PQC-only in some IETF stuff. I do not mean hash signatures, which are very solid stuff, but I do not offhand remember any concrete examples. Agreed that it is not a good idea at this point. Another thing to watch out for is stuff that ends up being a complexity nightmare in practice. E.g., multiple certificate chains validated in parallel. > +1 > > Anything the WG does has to be proof against Quantum Cryptanalysis and > LoW (Laptops on Weekends). The fact that the broken algorithms did not > get picked does not change the fact that they made it to the third > round. Actually, there is a big difference in scaryness of the two cases. For Rainbow, as far as I am aware, the key attack techniques were very recent, developed during the second and the third rounds of the NISTPQC. That mostly falls into "new attacks appearing". For SIKE, it is much much worse. The key attack techniques actually _predated_ SIDH (which SIKE is based on) by many years. And that still made it to third round. Now that is scary. Then there was smaller third oops: SABER: During late third round, one well-known lattice crypto researcher asked for cryptoanalysis of the MLWR problem (used in, e.g., SABER). Turns out there is not much. Mostly some folks applying basic smoke tests on it (anything failing those is very broken). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
