> On Jul 23, 2023, at 04:46, bingma2022=40skiff....@dmarc.ietf.org wrote: > > https://www.ambit.inc/pdf/KyberDrive.pdf It says "Kyber-1024 is known to have > 254 bits of classical security and 230 bits of quantum security (core- > SVP hardness)." So the future version of TLS may require triple 256-bit AES. > Since meet-in-the-middle attack, it requires three different 256-bit AES > keys. Furthermore, consider whether to use post-quantum RSA (even if NIST > said it does NOT guarantee quantum resistance) for hybrid TLS, because pqRSA > provides much higher security level for classical computers. > https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/PostQuantum_RSA_Enc.zip > The document says "pqRSA provides much higher pre-quantum security levels > than most post-quantum proposals." In conclusion, Kyber1024 is more secure > than AES for quantum computers, but triple 256-bit AES is more secure than > Kyber1024 for classical computers, it may need post-quantum RSA (even though > it's NOT post-quantum) for hybrid TLS handshake.
While I let this one through the moderator queue, it might be more appropriate for the CFRG. > NSA still has NOT approved ChaCha20 for their ciphersuit. On this point, you’ll need to take that up with them ;) Cheers, spt > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
