Watson Ladd <[email protected]> writes: >> Repeating that statement doesn't make it true. The analog motivation >> for doing PQ hybrids is Man-In-The-Middle attacks. If your non-hybrid >> PQ signature has a weakness (e.g., implementation bug), it facilitate >> man-in-the-middle's. >> > > The only way to achieve that is to have a quantum computer at the time of > attack
No that's totally wrong, and appears to be a common fallacy. One likely scenario is to use a traditional computer to break the PQ part and establish a MITM. Reaching confidence in crypto takes time. We need confidence in: - Underlying math problem (factoring, disclog, lattices) - Algorithm (RSA-PKCSv1.5, RSA-PSS, ECDSA, EdDSA, etc) - Parameter selection (512-bit RSA, 1024-bit RSA, secp128, etc) - Implementation (side channels, correctness, corner cases, parametrization bugs, API issues prehash vs non-prehash etc) It took perhaps ~30 years to arrive at RSA-PSS-4096. Common choices ~20 years (RSA PKCSv1.5 1024-bit) ago is considered insecure today, and allows a MITM. Did it take ~25 years to reach the same for ECDSA? secp256. Common choces ~13 years ago (secp192/secp224) is considered insecure today, and allows a MITM. For Ed25519 the design has been stable since the initial publication 2011 (a remarkable achievement), but I'd say it took ~10 years to reach maturity. Fortunately Ed448 did not introduce parametrization bugs in implementations. The HashEdDSA mode of RFC8032 introduced an API weakness. Non-deterministic "hedged" use introduce another weakness. For ML-DSA the spec was published in August 2024 and the final stable test vectors not available significantly earlier. Even if we collectively entertain our hybris and believe that FIPS204 will stand the test of time as well as Ed25519 have, we are looking at least at a 5-10 year window where history tells us to be careful. This window of opportunity is known to HNDL attackers today. Using ML-DSA in non-hybrid mode gives them same windows of opportunity to mount MITM during the next 5-15 years. I believe granting that attack vector is entirely irresponsible. Several organizations has funding, purchasing power and demonstrated historical track record to influence the IETF to make weak choices. /Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
