Actually, it doesn't. The attack would be just as applicable if we offered
group 19 (preferred) and group 1 (supported), and the attacker had a factor
base to group 1.
Postquantum does mean that it is more applicable to less obscure scenarios.
________________________________________
From: Michael Richardson
Sent: Wednesday, July 30, 2025 2:16 PM
To: Jun Hu (Nokia)
Cc: Valery Smyslov; 'Christopher Patton'; Scott Fluhrer (sfluhrer); 'ipsec'
Subject: Re: [IPsec] Re: draft-smyslov-ipsecme-ikev2-downgrade-prevention
Jun Hu (Nokia) <jun...@nokia.com> wrote:
> [HJ] sure, but my understanding is the attack we are discussing here
> doesn't rely on a CRQC
It does.
The attacker is able to remove the quantum-safe algorithms from the proposal,
leaving the communication using quanutm-unsafe algorithms.
_______________________________________________
IPsec mailing list -- ipsec@ietf.org
To unsubscribe send an email to ipsec-le...@ietf.org
