The cost of hybrids is not high, but it's certainly not negligible. I can't share the exact number of servers we'd be able to cut if we'd go pure PQ, but with a back of the envelope calculation I think you can convince yourself that we could've at least hired an engineer instead. We think it's worth it now, but of course we're not going to keep hybrids around when the CRQC arrives.
Best, Bas On Thu, Mar 7, 2024 at 1:56 AM Dennis Jackson <ietf= 40dennis-jackson...@dmarc.ietf.org> wrote: > I'd like to understand the argument for why a transition back to single > schemes would be desirable. > > Having hybrids be the new standard seems to be a nice win for security > and pretty much negligible costs in terms of performance, complexity and > bandwidth (over single PQ schemes). > > On 07/03/2024 00:31, Watson Ladd wrote: > > On Wed, Mar 6, 2024, 10:48 AM Rob Sayre <say...@gmail.com> wrote: > >> On Wed, Mar 6, 2024 at 9:22 AM Eric Rescorla <e...@rtfm.com> wrote: > >>> > >>> > >>> On Wed, Mar 6, 2024 at 8:49 AM Deirdre Connolly < > durumcrustu...@gmail.com> wrote: > >>>>> Can you say what the motivation is for being "fully post-quantum" > rather than hybrid? > >>>> Sure: in the broad scope, hybrid introduces complexity in the > short-term that we would like to move off of in the long-term - for TLS 1.3 > key agreement this is not the worst thing in the world and we can afford > it, but hybrid is by design a hedge, and theoretically a temporary one. > >>> > >>> My view is that this is likely to be the *very* long term. > >> > >> Also, the ship has sailed somewhat, right? Like Google Chrome, > Cloudflare, and Apple iMessage already have hybrids shipping (I'm sure > there many more, those are just really popular examples). The installed > base is already very big, and it will be around for a while, whatever the > IETF decides to do. > > People can drop support in browsers fairly easily especially for an > > experimental codepoint. It's essential that this happen: if everything > > we (in the communal sense) tried had to be supported in perpetuity, it > > would be a recipe for trying nothing. > > > >> thanks, > >> Rob > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
