Watson Ladd writes: > Authentication is not like encryption. I presume that you're alluding to the following process: if the PQ signature system is broken, we revert to ECC signatures, and then the attacker doesn't benefit from forging the no-longer-accepted signatures (whereas we can't stop attackers from breaking previous ciphertexts).
This process leaves computers completely exposed until they've reverted to ECC. Sure, some environments are fast to make changes, but some aren't. For comparison, using ECC+PQ in the first place avoids this security failure, and will make many people less hesitant to upgrade. The revert-in-case-of-disaster process also leaves computers completely exposed to PQ attacks that haven't come to the public's attention yet. Out of the 69 round-1 submissions to NIST, 33 have been publicly broken by now (see https://cr.yp.to/papers.html#pqsrc), with some of the attacks not published for years; is it so hard to imagine that large-scale attackers found some attacks before the public did? More broadly, conflating "no attacks have been published" with "no attacks are being carried out" is unjustified, an extreme form of availability bias. Occasionally there are leaks from attackers illustrating how much damage this mistake has done. Example: https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
