On Fri, Nov 15, 2024, 2:59 PM Andrey Jivsov <cry...@brainhub.org> wrote:
> Classic McEllice team shows that over the last 10 years lattice crypto > strength dropped as the equivalence of AES192 to AES128. Will this trend > continue? > > In some deployments there may be a need to turn on a PQ method soon, and > keep using, e.g. when configurability is not an option. Also, if a change > in configuration is possible at a later time to enable a PQ method, ECC may > still be secure. > > Overall, I think it is safer to deploy a hybrid solution as the main > option, and either enable it soon, or later. > If you don't want to depend on being able to switch there is one signature algorithm secure if any of the candidates are. > On Fri, Nov 15, 2024 at 11:46 AM Blumenthal, Uri - 0553 - MITLL < > u...@ll.mit.edu> wrote: > >> ZjQcmQRYFpfptBannerEnd >> >> I happen to think that standalone ML-DSA in TLS is a controversial issue. >> >> >> >> And I respectfully disagree. As been pointed out already, you cannot >> authenticate tomorrow on somebody else yesterday’s connection. >> >> >> >> In practice, PQ authentication is not an immediate issue in a sense of >> "record now, decrypt later". >> >> >> >> Exactly. Except that my conclusion from this is – no hybrid is necessary. >> Either move to PQ, or remain with Classic and keep observing/studying PQ. >> >> >> >> There is also an issue of what signatures in X.509 certs will look like. >> Especially in CA certificates, these may favor ML-DSA+ECC v.s. ML-DSA, so >> there would need to be support by TLS stack for the hybrid for that reason. >> >> >> >> This all is based on the assumption that ML-DSA would fail, but ECC >> won’t. I find this highly improbable. >> > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
