Yoav Nir writes: > To justify a hybrid key exchange you need people who are both worried > about quantum computers and worried about cryptanalysis or the new > algorithms, but are willing to bet that those things wonât happen at > the same time. Or at least, within the time where the generated key > still matters.
Google and Cloudflare encrypted quite a bit of actual user data using SIKE: https://blog.cloudflare.com/the-tls-post-quantum-experiment/ The only reason this didn't give the user data away to today's attackers is that Google and Cloudflare had the common sense to insist that any post-quantum algorithm be added as a second layer of encryption on top of the existing X25519 layer, rather than removing the existing layer. That was in 2019. For anyone who thinks a few years of subsequent study were enough for the public to identify which post-quantum cryptosystems are breakable, it's useful to look at NIST's official report https://web.archive.org/web/20220705160405/https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf in July 2022 saying that * SIKE is "being considered for future standardization"; * regarding NIST deciding to throw away FrodoKEM: "While NIST intends to select at least one additional KEM not based on structured lattices for standardization after the fourth round, three other KEM alternates (BIKE, HQC, and SIKE) are better suited than FrodoKEM for this role"; * "SIKE remains an attractive candidate for standardization because of its small key and ciphertext sizes"; * regarding NIST delaying a decision on Classic McEliece: "For applications that need a very small ciphertext, SIKE may turn out to be more attractive"; * regarding torsion-point attacks: "there has been no impact on SIKE". SIKE had been advertised in 2021 (https://eprint.iacr.org/2021/543) as "A decade unscathed". I think I was the only person speaking up to object (https://twitter.com/hashbreaker/status/1387779717370048518), and as far as I know there was only one other cryptographer on record recommending against using SIKE. ---D. J. Bernstein
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
