Why would TLS require triple AES? If you’re worried that Grover’s attack reduces the strength of AES-256 to 128 bits, well, yes it does – unless we are extremely impatient. If the attacker insists that the attack succeeds before, say, the Sun turns into a red giant, running Grover’s on a single Quantum Computer doesn’t work – and running it in parallel enough to reduce it so something practical drastically reduces the savings that Grover’s gives us.
And, in any case, we shouldn’t be obsessed with making sure that all the primitives we use have precisely the same security strength – it is quite sufficient if they are all ‘secure’, and AES-256 certainly meets that criteria for any plausible attacker (hence, any practical meaning of secure) From: TLS <tls-boun...@ietf.org> On Behalf Of bingma2022=40skiff....@dmarc.ietf.org Sent: Sunday, July 23, 2023 4:46 AM To: tls@ietf.org Subject: [TLS] whitepaper from ambit inc https://www.ambit.inc/pdf/KyberDrive.pdf It says "Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (core- SVP hardness)." So the future version of TLS may require triple 256-bit AES. Since meet-in-the-middle attack, it requires three different 256-bit AES keys. Furthermore, consider whether to use post-quantum RSA (even if NIST said it does NOT guarantee quantum resistance) for hybrid TLS, because pqRSA provides much higher security level for classical computers. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/PostQuantum_RSA_Enc.zip The document says "pqRSA provides much higher pre-quantum security levels than most post-quantum proposals." In conclusion, Kyber1024 is more secure than AES for quantum computers, but triple 256-bit AES is more secure than Kyber1024 for classical computers, it may need post-quantum RSA (even though it's NOT post-quantum) for hybrid TLS handshake. NSA still has NOT approved ChaCha20 for their ciphersuit.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
