On Wed, May 27, 2026 at 2:08 PM Nico Williams <[email protected]> wrote: > > On Wed, May 27, 2026 at 02:01:08PM -0700, Watson Ladd wrote: > > On Wed, May 27, 2026, 1:48 PM Simon Josefsson <simon= > > [email protected]> wrote: > > > Repeating that statement doesn't make it true. The analog motivation > > > for doing PQ hybrids is Man-In-The-Middle attacks. If your non-hybrid > > > PQ signature has a weakness (e.g., implementation bug), it facilitate > > > man-in-the-middle's. > > > > > > > The only way to achieve that is to have a quantum computer at the time of > > attack > > Not so. Find the victim's classical public key (they'll gladly tell you > it), use a quantum computer to break it off-line and recover the private > key, then use the private key at will to impersonate the victim, then > its counterparties become victims too.
Correct: you have to have a quantum computer *before* mounting the attack. Or to put another way, todays connections are not compromised by tomorrows computers. > > Nico > -- -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
