https://www.ambit.inc/pdf/KyberDrive.pdf It says "Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (core- SVP hardness)." So the future version of TLS may require triple 256-bit AES. Since meet-in-the-middle attack, it requires three different 256-bit AES keys. Furthermore, consider whether to use post-quantum RSA (even if NIST said it does NOT guarantee quantum resistance) for hybrid TLS, because pqRSA provides much higher security level for classical computers. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/PostQuantum_RSA_Enc.zip The document says "pqRSA provides much higher pre-quantum security levels than most post-quantum proposals." In conclusion, Kyber1024 is more secure than AES for quantum computers, but triple 256-bit AES is more secure than Kyber1024 for classical computers, it may need post-quantum RSA (even though it's NOT post-quantum) for hybrid TLS handshake. NSA sti ll has NOT approved ChaCha20 for their ciphersuit.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
