> > I thought a Quantum Annoyance was someone who keeps banging on about > > imaginary > > attacks that don't exist as a means of avoiding having to deal with actual > > attacks that have been happening for years without being addressed. > > That is a little unfair but only a little.
I don't think Quantum "Annoyance" makes any sense at all. It's only annoying to implementers. > What bothers me is that TLS is not a toy, it is the primary security control > used in most of the world's critical infrastructure. That is why > Quantum Cryptanalysis has to be taken seriously. I concur. > But so does the fact that Rainbow fell to an attack discovered during the > competition. That was the point of the competition, n'est 'est pas? > This is not mature crypto, it is not ready for prime time as a sole control. I think you're throwing everything into one pile, mixing apples, oranges, etc. How long till a crypto algorithm is considered "mature"? Is ECC "mature"? What about NTRU? > I have seen references to a 'NIST' slide insisting that we should not use > hybrid schemes > and I completely disagree with them. I appreciate your point, and happen to disagree with it. SIKE failed - and so did many other PQ and Classic algorithms. So...? Can you *guarantee* that ECC (or RSA) won't fall to a brand-new LoW attack tomorrow, or in two years? You'd say "it's not likely"? Sure, but IMHO it's comparably unlikely for NTRU or Kyber to fall in a similar way. > KGB doctrine was always that every communication be secured by two > independent technologies > using separate principles.. I'm sorry to disappoint you, but the above is simply untrue. > First, do no harm: At this point it is very clear that the risk of a > Laptop on a Weekend breaking Kyber is rather higher than anyone building > a QCC capable computer in the next decade. Probably. Otherwise, no comment. > So, what is not going to happen is a system in which a break of Kyber results > in a break of TLS. I daresay, nothing - because, based on the available cryptanalytic results, I don't expect Kyber to break, at least at NIST Sec Level 5 (and I'm not interested in any other level). > Critical infrastructure demands defense in depth. The lack of binding between > the > ephemeral and the initial exchanges was always a design blunder in TLS. Yes, absolutely. > Using an ephemeral should never weaken the security. Again, I concur. > Incidentally, this particular design blunder is one of the reasons > I am skeptical of security proofs using formal methods. "Look at the formal proofs, but trust cryptanalysis". I could sign under this statement.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
