On Tuesday, 19 November 2024 12:19:06 CET, D. J. Bernstein wrote:
Alicja Kario writes:
We can't use hybrid if we don't have a specification how to put hybrid
keys into X.509 certificates.
Take a specification of how to put a Dilithium key into certificates.
Modify the spec as follows: replace Dilithium with the trivial
Ed25519+Dilithium concatenation.
This immediately produces a spec of how to put Ed25519+Dilithium into
certificates. Compared to the original spec, the modified spec is less
scary and does a better job of encouraging rapid deployment. So why
spend time on the original spec?
until you write this I-D, we don't have it
And that there are no technical reasons for not specifying use of pure
PQ signatures.
I disagree. Specifying ECC+PQ in TLS, and skipping the specification of
just PQ in TLS, reduces security risks.
https://cr.yp.to/talks.html#2016.02.24 said "Pre-quantum signature
system P needs to be replaced with post-quantum signature system Q. Make
auditors happier: Replace P with P + Q. P + Q public key concatenates P
public key, Q public key. P + Q signature concatenates P signature, Q
signature. ... Auditor sees very easily that Ed25519+SPHINCS-256
security >= Ed25519 security." I was using software updates as an
example (later I discussed KEMs and also mentioned keeping an ECC layer
for those), and commented that keeping ECC had "unnoticeable cost".
Or:
Auditor sees that P + Q system is more complex to implement and validate
than a simple Q system, therefore ML-DSA security > ML-DSA+Ed25519
security.
And even if I don't belive it, I won't be able to provide sufficient
arguments to convince the customer that the auditor is wrong.
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
