Robert, I can’t agree more.
Except: Structured Lattices indeed have been around not as long as, e.g., RSA or ECC - but for how long have RSA or ECC have been around Bauer they were included in cryptographic protocols? Without Hybrid? Thanks! Regards, Uri > On Aug 9, 2022, at 16:58, Robert Relyea <rrel...@redhat.com> wrote: > > > On 8/6/22 11:40 AM, Phillip Hallam-Baker wrote: >> +1 >> >> Anything the WG does has to be proof against Quantum Cryptanalysis and LoW >> (Laptops on Weekends). The fact that the broken algorithms did not get >> picked does not change the fact that they made it to the third round. > Lumping all the algorithms together is just a strawman. Yes two algorithms > made it to the 3rd and were broken. The reason Rainbow wasn't picked was > because it was broken before the end of the 3rd round. Multivarient equations > sounded good at the beginning, but all forms and uses of multivarient have > been broken. > > Sike was in the 3rd round as an alternate. It was an alternate precisely > because the idea had the least time in which people work pushing on it. I was > never going to be picked as the final in this round. The algorithms in the > alternate list are the precisely because they are interesting, but not proven. > > Structured Lattice is in between. It's been around a lot longer then > Multivarient or SIKE, but not as long as ECC, RSA or classic Code Based > algorithms. It's good to be skeptical, but it's also time to start getting > experience with it. > >>> >>> >>> >>> >>> On Sat, Aug 6, 2022 at 1:53 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> >>> wrote: >>>> >>>> >>>> On 06/08/2022 17:47, Phillip Hallam-Baker wrote: >>>> > Are you proposing pure Kyber or a hybrid though? >>>> >>>> I've not heard anyone suggest securing an IETF protocol >>>> only via PQC algs. It'd be incredibly dim to make that >>>> suggestion IMO, esp now that two of the 3rd round entries >>>> have been busted. So I'm not worried that we'd even come >>>> close to landing there for TLS. >> >> hybrid is where we should be now. We should have some confidence in Kyber, >> but we have a lot of confidence in RSA and ECC. >> >> The issue of Kyber isn't that 2 3rd round entries were busted. The worry is >> we are still learning about the potential gotcha's of structured lattice. >> (You thought side channel attacks on RSA were bad, what until you have to >> implement a secure lattice cypher). >> >> bob >> >>> S. >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
