> -----Original Message----- > From: TLS [mailto:[email protected]] On Behalf Of Nikos > Mavrogiannopoulos > Sent: Friday, March 04, 2016 3:10 AM > To: Hanno Böck; Blumenthal, Uri - 0553 - MITLL; [email protected] > Subject: Re: [TLS] RSA-PSS in TLS 1.3 > > On Thu, 2016-03-03 at 17:11 +0100, Hanno Böck wrote: > > It may be worth asking the authors what's their opinion of FDH vs > > > PSS > > > in view of the state of the art *today*. > > You may do that, but I doubt that changes much. > > > > I think FDH really is not an option at all here. It may very well be > > that there are better ways to do RSA-padding, but I don't think that > > this is viable for TLS 1.3 (and I don't think FDH is better). > > PSS has an RFC (3447) and has been thoroughly analyzed by research. I > > think there has been far less analyzing effort towards FDH (or any > > other construction) and it is not in any way specified in a standards > > document. If one would want to use FDH or anything else one would imho > > first have to go through some standardization process (which could be > > CFRG or NIST or someone else) and call for a thorough analysis of it > > by the cryptographic community. Which would take at least a couple of > > years. > > > > Given that there probably is no long term future for RSA anyway > > (people want ECC and postquantum is ahead) I doubt anything else than > > the primitives we already have in standards will ever be viable. > > On the contrary. If we have a future with quantum computers available, the > only thing that we have now and would work is RSA with larger keys, not ECC.
RSA isn't *that* much more secure against a Quantum Computer than ECC. It would appear to take a larger Quantum Computer to break RSA than it would to break ECC (for reasonable moduli/curve sizes), however not that much more. It is possible that, at one stage, we'll be able to build a QC that's just large enough to break EC curves, but not larger RSA keys - however, we would be likely to be able to scale up our QC to be a bit larger; possibly in a few months, quite likely in a year or two. Hence, moving back to RSA would appear likely to buy us only a short window... I agree with Hanno; if we're interested in defending against a Quantum Computer, post Quantum algorithms are the way to go _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
