On Fri, Nov 15, 2024, 3:32 PM Andrey Jivsov <cry...@brainhub.org> wrote:
> Not sure I understand your point, Watson, but for the environments that > cannot tweak configuration, or otherwise effectively turn on/off > algorithms, a composite signature with a PQ and an ECC algorithm is the > most viable option. > Why not hash based signatures? > > On Fri, Nov 15, 2024 at 3:02 PM Watson Ladd <watsonbl...@gmail.com> wrote: > >> >> >> On Fri, Nov 15, 2024, 2:59 PM Andrey Jivsov <cry...@brainhub.org> wrote: >> >>> Classic McEllice team shows that over the last 10 years lattice crypto >>> strength dropped as the equivalence of AES192 to AES128. Will this trend >>> continue? >>> >>> In some deployments there may be a need to turn on a PQ method soon, and >>> keep using, e.g. when configurability is not an option. Also, if a change >>> in configuration is possible at a later time to enable a PQ method, ECC may >>> still be secure. >>> >>> Overall, I think it is safer to deploy a hybrid solution as the main >>> option, and either enable it soon, or later. >>> >> >> If you don't want to depend on being able to switch there is one >> signature algorithm secure if any of the candidates are. >> >> >>> On Fri, Nov 15, 2024 at 11:46 AM Blumenthal, Uri - 0553 - MITLL < >>> u...@ll.mit.edu> wrote: >>> >>>> ZjQcmQRYFpfptBannerEnd >>>> >>>> I happen to think that standalone ML-DSA in TLS is a controversial >>>> issue. >>>> >>>> >>>> >>>> And I respectfully disagree. As been pointed out already, you cannot >>>> authenticate tomorrow on somebody else yesterday’s connection. >>>> >>>> >>>> >>>> In practice, PQ authentication is not an immediate issue in a sense of >>>> "record now, decrypt later". >>>> >>>> >>>> >>>> Exactly. Except that my conclusion from this is – no hybrid is >>>> necessary. Either move to PQ, or remain with Classic and keep >>>> observing/studying PQ. >>>> >>>> >>>> >>>> There is also an issue of what signatures in X.509 certs will look >>>> like. Especially in CA certificates, these may favor ML-DSA+ECC v.s. >>>> ML-DSA, so there would need to be support by TLS stack for the hybrid for >>>> that reason. >>>> >>>> >>>> >>>> This all is based on the assumption that ML-DSA would fail, but ECC >>>> won’t. I find this highly improbable. >>>> >>> _______________________________________________ >>> TLS mailing list -- tls@ietf.org >>> To unsubscribe send an email to tls-le...@ietf.org >>> >>
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
