Niels Möller <[email protected]> writes: >>> * Focus on getting post-quantum algorithms into Nettle. >> >> From GnuTLS perspective, it would be helpful if there is support for at >> least one post-quantum KEM algorithm so it could make TLS handshake >> provide quantum safety and forward secrecy (with PSK). Signature >> algorithms could be done later. > > That's my understanding too, that the current main worry is forward > secrecy of protocols that use key exchange methods that are vulnerable > to an attacker with a quantum computer.
While encryption may be more urgent, it takes a lot of time for algorithms to permeate standards and implementations, and there are long-term support distributions with 10 years of support or more. For example, Red Hat's signing infrastructure is limited to what their oldest supported release can consume. I asked in 87sf5daacn.fsf@thinkbox for the PQC algorithms that we'll need for the upcoming PQC extensions to OpenPGP. Unfortunately, that mail is not available in the nettle-bugs archive, but can be found here: https://marc.info/?l=nettle-bugs&m=169963043712268&w=2 Since then, the draft has been adopted by the working group, and is available here: https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/ The set of PQC algorithms has not changed, we need ML-KEM, ML-DSA, and SLH-DSA. The draft dropped KMAC in favor of SHA3 as key combiner, so we (likely) don't need KMAC anymore. I have seen the proposed implementation of ML-KEM (big thanks!), but unfortunately didn't have the time to try it out yet. If I do, I'll send feedback. Best, Justus
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
