On Sun, Aug 7, 2022 at 3:52 AM Peter Gutmann <[email protected]> wrote:
> Phillip Hallam-Baker <[email protected]> writes: > > >Quantum Annoyance: > > I thought a Quantum Annoyance was someone who keeps banging on about > imaginary > attacks that don't exist as a means of avoiding having to deal with actual > attacks that have been happening for years without being addressed. > That is a little unfair but only a little. What bothers me is that TLS is not a toy, it is the primary security control used in most of the world's critical infrastructure. That is why Quantum Cryptanalysis has to be take seriously. But so does the fact that Rainbow fell to an attack discovered during the competition. This is not mature crypto, it is not ready for prime time as a sole control. I have seen references to a 'NIST' slide insisting that we should not use hybrid schemes and I completely disagree with them. KGB doctrine was always that every communication be secured by two independent technologies using separate principles.. I suspect that this guidance is being misinterpreted and that what they actually meant was that the PQC algorithms have to be fit for purpose as a sole control. First, do no harm: At this point it is very clear that the risk of a Laptop on a Weekend breaking Kyber is rather higher than anyone building a QCC capable computer in the next decade. So what is not going to happen is a system in which a break of Kyber results in a break of TLS. Critical infrastructure demands defense in depth. The lack of binding between the ephemeral and the initial exchanges was always a design blunder in TLS. Using an ephemeral should never weaken the security. Incidentally, this particular design blunder is one of the reasons I am sceptical of security proofs using formal methods. The problem with formal methods is that you can only prove correctness with respect to a specification and if the specification is wrong, all else fails. Unless you start asking questions like 'what if this assumption fails', you end up with systems with a single point of failure. And before folk start telling me how great formal methods are, I was a practitioner once.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
