Not sure I understand your point, Watson, but for the environments that cannot tweak configuration, or otherwise effectively turn on/off algorithms, a composite signature with a PQ and an ECC algorithm is the most viable option.
On Fri, Nov 15, 2024 at 3:02 PM Watson Ladd <watsonbl...@gmail.com> wrote: > > > On Fri, Nov 15, 2024, 2:59 PM Andrey Jivsov <cry...@brainhub.org> wrote: > >> Classic McEllice team shows that over the last 10 years lattice crypto >> strength dropped as the equivalence of AES192 to AES128. Will this trend >> continue? >> >> In some deployments there may be a need to turn on a PQ method soon, and >> keep using, e.g. when configurability is not an option. Also, if a change >> in configuration is possible at a later time to enable a PQ method, ECC may >> still be secure. >> >> Overall, I think it is safer to deploy a hybrid solution as the main >> option, and either enable it soon, or later. >> > > If you don't want to depend on being able to switch there is one signature > algorithm secure if any of the candidates are. > > >> On Fri, Nov 15, 2024 at 11:46 AM Blumenthal, Uri - 0553 - MITLL < >> u...@ll.mit.edu> wrote: >> >>> ZjQcmQRYFpfptBannerEnd >>> >>> I happen to think that standalone ML-DSA in TLS is a controversial issue. >>> >>> >>> >>> And I respectfully disagree. As been pointed out already, you cannot >>> authenticate tomorrow on somebody else yesterday’s connection. >>> >>> >>> >>> In practice, PQ authentication is not an immediate issue in a sense of >>> "record now, decrypt later". >>> >>> >>> >>> Exactly. Except that my conclusion from this is – no hybrid is >>> necessary. Either move to PQ, or remain with Classic and keep >>> observing/studying PQ. >>> >>> >>> >>> There is also an issue of what signatures in X.509 certs will look like. >>> Especially in CA certificates, these may favor ML-DSA+ECC v.s. ML-DSA, so >>> there would need to be support by TLS stack for the hybrid for that reason. >>> >>> >>> >>> This all is based on the assumption that ML-DSA would fail, but ECC >>> won’t. I find this highly improbable. >>> >> _______________________________________________ >> TLS mailing list -- tls@ietf.org >> To unsubscribe send an email to tls-le...@ietf.org >> >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
