Astra mortemque praestare gradatim On Wed, May 27, 2026, 1:48 PM Simon Josefsson <simon= [email protected]> wrote:
> Nadim Kobeissi <[email protected]> writes: > > > Signature schemes do not have the same compromise profile as key > > agreement schemes (I wrote about this [1]). > ... > > [1] https://symbolic.software/blog/2026-04-13-hybrid-constructions/ > > "Soatok’s central observation is one that deserves wider uptake: the > harvest-now-decrypt-later (HNDL) threat that motivates hybrid KEMs has > no analogue for signatures." > > Repeating that statement doesn't make it true. The analog motivation > for doing PQ hybrids is Man-In-The-Middle attacks. If your non-hybrid > PQ signature has a weakness (e.g., implementation bug), it facilitate > man-in-the-middle's. > The only way to achieve that is to have a quantum computer at the time of attack > > There were times when man-in-the-middle's were as common as > harvest-now-decrypt-later are today. I believe that MITM's are > generally worse than HNDL attacks. Adding a pre-PQ signature in hybrid > with new PQ systems is low cost compared to the risks. We did that for > PQ key agreement based on the HNDL argument. We should do the same for > PQ authentication with the MITM argument. > > /Simon > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
