Blumenthal, Uri - 0553 - MITLL writes:
> You donât really need PQ DSA until CRQC is here. At this point,
> everybody seems to agree that there is time before CRQC arrives. So,
> keep studying/exploring/attacking PQ DSA, and prepare code and
> infrastructure to deploy it â but use ECC for now. . . . .
I disagree. Attackers won't tell us when they have a quantum computer,
and upgrading can take a long time.
My objection to the draft is different: the draft is taking unnecessary
risks by using PQ instead of ECC+PQ.
[ tirumal reddy writes: ]
> > The deployment timeline for new algorithms and standards is lengthy.
> Of course. But we arenât talking about new algorithms here! Unless you
> consider ECC and/or RSA that have been in the deployed codebases for
> ages now â new?
Depending on the environment, simple one-line configuration changes can
take years to roll out even when the software is already sitting there.
Getting all TLS applications to accept PQ signatures won't be a fast
process even after the software is completely ready. If people then
learn that the PQ system is broken then getting all TLS applications to
_stop_ accepting PQ signatures won't be a fast process. This means a
long period of known vulnerability (looking at the whole ecosystem, not
just the portions that are fastest to upgrade), plus however many years
attackers are secretly exploiting the same vulnerability.
Please withdraw your claim that there's "no damage possible (at least,
in the TLS context) caused by PQ DSA break".
> if/when CTQC arrives â ECC (or any other Classic algorithm) become useless
"Concretely, think about a demo showing that spending a billion dollars
on quantum computation can break a thousand X25519 keys. Yikes! We
should be aiming for much higher security than that! We don't even want
a billion-dollar attack to be able to break _one_ key! Users who care
about the security of their data will be happy that we deployed
post-quantum cryptography. But are the users going to say 'Let's turn
off X25519 and make each session a million dollars cheaper to attack'?
I'm skeptical. I think users will need to see much cheaper attacks
before agreeing that X25519 has negligible security value."
> As for PQ algorithms maturity
[ miscellaneous timeline statements saying nothing about attacks ]
Evaluating security risks requires looking at the attack surface,
including known attacks and avenues for further attacks. Lattices are
continuing to lose security every year; it's amazing to look back at
https://eprint.iacr.org/2010/613 estimating security 2^150 for a
proposal with lattice dimension 256.
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
