On Sat, Feb 7, 2026 at 11:35 AM Muhammad Usama Sardar < [email protected]> wrote:
> Now in my understanding, the "downgrade attack" that the draft is trying > to prevent is: > > 1. C1 asks for a connection for S. > 2. MITM gets the compromised key from S and impersonates S. > 3. C1 gets tricked to establish a connection with MITM rather than S. > > Is this correct? If so, how does the proposed extension protect? The > initial connection may already be to already-compromised server (S), no? > What am I missing? > I would characterize the attack slightly differently, because it's not about compromising a server but about compromising the signature algorithm that the server uses. The way I would think about this is that suppose you have a server which has both a traditional signature algorithm T and a PQ algorithm P [0]. If an attacker has a a CRQC they can in principle attack connections between clients and the server by breaking T and then impersonating the server. However, if the client successfully connects to the server once with the PQ algorithm, then the client can remember that and in future insist on the server using P and thus prevent this kind of attack. This doesn't solve the problem if the attacker is able to attack all the time, but it makes the attacker's job harder because it has to be more active. It's also the case that if the client connects to the server at time X and then the attacker gets a CRQC at X+\delta X, then the client will be protected. -Ekr [0] Assuming that the chain is all traditional or PQ as expected.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
