Classic McEllice team shows that over the last 10 years lattice crypto strength dropped as the equivalence of AES192 to AES128. Will this trend continue?
In some deployments there may be a need to turn on a PQ method soon, and keep using, e.g. when configurability is not an option. Also, if a change in configuration is possible at a later time to enable a PQ method, ECC may still be secure. Overall, I think it is safer to deploy a hybrid solution as the main option, and either enable it soon, or later. On Fri, Nov 15, 2024 at 11:46 AM Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote: > ZjQcmQRYFpfptBannerEnd > > I happen to think that standalone ML-DSA in TLS is a controversial issue. > > > > And I respectfully disagree. As been pointed out already, you cannot > authenticate tomorrow on somebody else yesterday’s connection. > > > > In practice, PQ authentication is not an immediate issue in a sense of > "record now, decrypt later". > > > > Exactly. Except that my conclusion from this is – no hybrid is necessary. > Either move to PQ, or remain with Classic and keep observing/studying PQ. > > > > There is also an issue of what signatures in X.509 certs will look like. > Especially in CA certificates, these may favor ML-DSA+ECC v.s. ML-DSA, so > there would need to be support by TLS stack for the hybrid for that reason. > > > > This all is based on the assumption that ML-DSA would fail, but ECC won’t. > I find this highly improbable. >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
