Dear, all,
On 06/08/2022 13:00, Rob Sayre wrote:
On Fri, Aug 5, 2022 at 10:15 PM Benjamin Kaduk <bka...@akamai.com
<mailto:bka...@akamai.com>> wrote:
It's annoying to the attacker when they have to use their expensive
and finicky
hardware once (or multiple times) for each individual
message/exchange they
want to break,
Well, I can agree with the term "expensive", but I'm not sure what you
mean by "finicky". Are you saying they only work sometimes? It seems a
bit hand-wavy to say that.
I've seen quantum computers before. They are room-sized, but not that
big. I still find the term "quantum annoying" rather imprecise.
Maybe this is better (taken for the Eaton and Stebila paper in reference
to PAKEs):
"""
If a scheme is quantum annoying, then being able to solve one discrete
logarithm (in the case of DH, for example, sic) does not immediately
provide the ability to compromise a system; instead, each discrete
logarithm an adversary solves only allows them to eliminate a single
possible password. Essentially, the adversary must guess a password,
solve a discrete logarithm based on their guess, and then check to see
if they were correct.
"""
It is difficult to asses how 'annoying' this will be for a quantum
computer. For a strong noise-free quantum computer is probably not
annoying but for something in between (which is what we might get in the
upcomign years) it might be.
Thanks,
--
Sofía Celi
@claucece
Cryptographic research and implementation at many places, specially Brave.
Chair of hprc at IRTF and anti-fraud at W3C.
Reach me out at: cheren...@riseup.net
Website: https://sofiaceli.com/
3D0B D6E9 4D51 FBC2 CEF7 F004 C835 5EB9 42BF A1D6
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
