On Tue, 13 Jan 2015 13:36:01 +0100 Chí-Thanh Christopher Nguyễn wrote: > Andrew Savchenko schrieb: > > On Mon, 12 Jan 2015 19:44:46 +0100 Kristian Fiskerstrand wrote: > >> Shor's would be effective against discrete logs (including ECC) as > >> well, so wouldn't be applicable to this selection. For post-quantum > >> asymmetric crypto we'd likely need e.g a lattice based primitive. > > Why not to use post-quantum signing together with a traditional one? > > Indeed. Problem is that so-called post-quantum cryptosystems are > sometimes not even secure against non-quantum computers. I remember back > when NTRU was the latest hotness, and the breaking and fixing ping-pong > that security researchers played between conferences with it, > particularly with the signature part.
I think this is a problem of all new crypto solutions: they are likely to have flaws at both theory/model and implementation. But using them as addition (on AND basis) doesn't hurt security. However, as was pointed out in another reply, management overhead (second keypair, signature and web of trust) is considered as too much now. > None of these has stood the test of time like RSA or DLP-based crypto. > If post-quantum signing is desired, I agree that it should be strongly > considered using it in addition to traditional signing. Best regards, Andrew Savchenko
pgpD1IRDdSo0M.pgp
Description: PGP signature
