> On Aug 20, 2015, at 10:26 AM, Scott Fluhrer (sfluhrer) <[email protected]>
> wrote:
>
>> ...
>> Does NSA mean this difference when claiming that IKEv1 PSK mode is the
>> only QC-safe protocol?
>
> I believe so.
>
>> Should we add similar mode to IKEv2?
>
> I believe that there is an easier alternative; the problem is that IKEv2 is
> relying on the security of the (EC)DH exchange, and that is breakable with a
> Quantum Computer. A cleaner approach would be to replace the DH exchange
> with something that does the same functionality, but in a Quantum Resistant
> manner. NTRU (using an ephemeral key) can do precisely this (and performs
> quickly enough, and with small enough KE payloads not to cause
> fragmentation); we could negotiate NTRU as "yet another 'DH group'". That
> way, we don't need to have this as a separate option to be negotiated.
Has the NTRU based exchange had enough validation by skilled cryptographers to
be considered worth using in production?
Also, has it been shown not to be vulnerable to a generalization of Shor's
algorithm, the way D-H is? It would be rather silly to introduce a new
mechanism, only to have someone come along and tell us that Shor's algorithm
breaks it, too.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
