On Sun, Aug 7, 2022 at 11:53 AM Sofía Celi <cheren...@riseup.net> wrote:
> Dear, all, > > Late to reply to some emails. I was just travelling ;) > > > > I am now thinking in terms of 'Post Quantum Hardened" and "Post > > Quantum > > > Qualified". Hardening a system so it doesn't completely break > > under QCC > > > is a practical near term goal. Getting to a fully qualified > > system is > > > going to be a root-and-canal job. > > > > There is a notion of being 'quantum annoyant' to a quantum computer: > > perhaps that might be an starting point for other schemes that do no > > have a post-quantum counterpart as of right now. For others, a hybrid > > approach should definitly be taken such that classical cryptography > > still protects data. > > > > > > I am using PQC to protect the data and Threshold-ECC to protect the data > > with separation of roles. > > Unfortunately, Threshold-ECC does not have a propely assesed quantum > secure version. There is some thoughts over here if interested: > > https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/cozzo-luov-paper.pdf Right now, there is little to no interest in applying threshold to data at rest so it would be ludicrous to make threshold a requirement at this stage. But data at rest is where about half the breaches occur (the other half being data in use as in when a database or application has a file in memory). And separation of roles is our most powerful tool for securing data at rest. And threshold is the name for cryptographic tools that enforce separation of roles. The original reason I went away to do my own stuff is that it is really difficult to get clarity on the underlying principles when one is focused on maintenance of a highly constrained system like PKIX/WebPKI, TLS, etc. So one of the original goals was to have something I could use for 'experiments' and then attempt to apply the same principles to the legacy systems. Which is what I am doing here. So no, Threshold PQC (TPQC) is not yet a thing. But now that the NIST competition is winding down, it looks to me like there are going to be a large number of out of work cryptographers unless they can find a new problem to work on. TPQC signatures are a really low priority for me. Multi signatures work fine for almost any use case. What I really need are mechanisms for generating keys from threshold shares and for key agreement split into threshold shares. A system that works for n=t=2 (two shares, both required) more than meets the 80:20 rule.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
