Eric Rescorla <[email protected]> writes: > The argument for hybrids in this context is that if if one has > substantially higher confidence in the security of the traditional > algorithm than the PQ one against classical attack, than it is safer > to deploy hybrids. As as been discussed in detail, however, the threat > model is different here because the attacker has to be able to break > the vulnerable algorithm at the time of the connection (this is just a > generalization of Watson's point), so the level of risk depends on (a) > how rapidly you can disable the PQ algorithm if it's found to be > vulnerable
If there is no other widely deployed choice than pure ML-DSA that time window will be long, and the level of risk high. That's why we need several alternatives, including hybrid PQ signature authentication. And if we have at least one hybrid specified, implemented and deployed, I don't believe using non-hybrid variants is a good choice for a general Internet-wide recommendation for the next ~10 years. We need to gain confidence in ML-DSA and other new signature algorithms. /Simon > and (b) how likely you think it is that there will be a secret > compromise the PQ algorithm so you don't know to disable it. You have > to make this assessment on your own, but it's a distinct situation > from HNDL, where there is action you can take to protect > already-transmitted data. > > -Ekr > > > [0] This may be different for systems such as SSH where the keys are > often not authenticated via a global PKI and therefore it's possible > for individual endpoint pairs to disable PQ safely. > > [1] See > https://www.chromium.org/Home/chromium-security/post-quantum-auth-roadmap/ > for a more in-depth discussion of the issues here. > > > On Wed, May 27, 2026 at 2:19 PM Nico Williams <[email protected]> wrote: > >> On Wed, May 27, 2026 at 02:11:16PM -0700, Watson Ladd wrote: >> > On Wed, May 27, 2026 at 2:08 PM Nico Williams <[email protected]> >> wrote: >> > > >> > > On Wed, May 27, 2026 at 02:01:08PM -0700, Watson Ladd wrote: >> > > > On Wed, May 27, 2026, 1:48 PM Simon Josefsson <simon= >> > > > [email protected]> wrote: >> > > > > Repeating that statement doesn't make it true. The analog >> motivation >> > > > > for doing PQ hybrids is Man-In-The-Middle attacks. If your >> non-hybrid >> > > > > PQ signature has a weakness (e.g., implementation bug), it >> facilitate >> > > > > man-in-the-middle's. >> > > > > >> > > > >> > > > The only way to achieve that is to have a quantum computer at the >> time of >> > > > attack >> > > >> > > Not so. Find the victim's classical public key (they'll gladly tell >> you >> > > it), use a quantum computer to break it off-line and recover the >> private >> > > key, then use the private key at will to impersonate the victim, then >> > > its counterparties become victims too. >> > >> > Correct: you have to have a quantum computer *before* mounting the >> attack. >> > >> > Or to put another way, todays connections are not compromised by >> > tomorrows computers. >> >> Sure, but today's _credentials_ -if they are still in use 'tomorrow'- >> will be. Who wants to suddenly have to hurry up and deploy new code and >> change keys all at once on PQ day? Worse: who wants to be dependent on >> their counterparties to have to do that on PQ day? >> >> But at the same time the same pure-PQC vs. hybrid concerns arise. >> Therefore if we thinkg HNDL justifies hybrid KEMs now then surely MITM >> justifies hybrid signature algorithms now as well. >> >> Nico >> -- >> >> _______________________________________________ >> TLS mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >>
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
