Hi all,
I was going through the security considerations of RFC 8784 and I saw the
following:
[…]
In addition, the policy SHOULD be set to negotiate only quantum-secure
symmetric algorithms; while this RFC doesn't claim to give advice as to what
algorithms are secure (as that may change based on future cryptographical
results), below is a list of defined IKEv2 and IPsec algorithms that should not
be used, as they are known to provide less than 128 bits of post-quantum
security:
Any IKEv2 encryption algorithm, PRF, or integrity algorithm with a key size
less than 256 bits.
Any ESP transform with a key size less than 256 bits.
PRF_AES128_XCBC and PRF_AES128_CBC: even though they can use as input a key of
arbitrary size, such input keys are converted into a 128-bit key for internal
use.
[…]
By our now more nuanced understanding of Grover’s algorithm (in particular how
expensive and poorly parallelizable it is), this recommendation is entirely no
longer necessary. For example, NIST also write that using 128-bit keys is just
fine.
I’m just not sure if this warrants submitting an erratum. Should I submit one?
Cheers,
Thom
_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]
