Re: [TLS] Before we PQC... Re: PQC key exchange sizes

Tue, 09 Aug 2022 13:57:48 -0700 

On 8/6/22 11:40 AM, Phillip Hallam-Baker wrote:

+1
Anything the WG does has to be proof against Quantum Cryptanalysis and LoW (Laptops on Weekends). The fact that the broken algorithms did not get picked does not change the fact that they made it to the third round.
Lumping all the algorithms together is just a strawman. Yes two algorithms made it to the 3rd and were broken. The reason Rainbow wasn't picked was because it was broken before the end of the 3rd round. Multivarient equations sounded good at the beginning, but all forms and uses of multivarient have been broken.
Sike was in the 3rd round as an alternate. It was an alternate precisely because the idea had the least time in which people work pushing on it. I was never going to be picked as the final in this round. The algorithms in the alternate list are the precisely because they are interesting, but not proven.
Structured Lattice is in between. It's been around a lot longer then Multivarient or SIKE, but not as long as ECC, RSA or classic Code Based algorithms. It's good to be skeptical, but it's also time to start getting experience with it.
On Sat, Aug 6, 2022 at 1:53 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: 



    On 06/08/2022 17:47, Phillip Hallam-Baker wrote:
    > Are you proposing pure Kyber or a hybrid though?

    I've not heard anyone suggest securing an IETF protocol
    only via PQC algs. It'd be incredibly dim to make that
    suggestion IMO, esp now that two of the 3rd round entries
    have been busted. So I'm not worried that we'd even come
    close to landing there for TLS.
hybrid is where we should be now. We should have some confidence in Kyber, but we have a lot of confidence in RSA and ECC.
The issue of Kyber isn't that 2 3rd round entries were busted. The worry is we are still learning about the potential gotcha's of  structured lattice. (You thought side channel attacks on RSA were bad, what until you  have to implement a secure lattice cypher). 

bob


    S.


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to