For signatures or keys in something like a certificate, I understand how you would want to have both the PQ and classical keys/sigs in the same structure, so satisfy those who want the classical algorithm and those who prefer the post-quantum.
For key exchange? For the most part a negotiation is good enough, no? To justify a hybrid key exchange you need people who are both worried about quantum computers and worried about cryptanalysis or the new algorithms, but are willing to bet that those things won’t happen at the same time. Or at least, within the time where the generated key still matters. I’m sure it’s not an empty set of people, but is it sizable? > On 7 Nov 2023, at 10:29, Scott Fluhrer (sfluhrer) > <sfluhrer=40cisco....@dmarc.ietf.org> wrote: > > The problem with the argument “X trusts Kyber, so we don’t need hybrid” > (where X can be “NIST” or “the speaker”) is that trust, like beauty, is in > the eye of the beholder. Just because NIST (or any other third party) is > comfortable with just using Kyber (or Dilithium) does not mean that everyone > does. > > As long as there are a number of users that don’t quite trust fairly new > algorithms, there will be a valid demand for using those new algorithms with > older ones (which aren’t postquantum, but we are moderately confident that > are resistant to conventional cryptanalysis). > > From: TLS <tls-boun...@ietf.org <mailto:tls-boun...@ietf.org>> On Behalf Of > Watson Ladd > Sent: Monday, November 6, 2023 2:44 PM > To: Kris Kwiatkowski <k...@amongbytes.com <mailto:k...@amongbytes.com>> > Cc: Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org > <mailto:bas=40cloudflare....@dmarc.ietf.org>>; TLS List <TLS@ietf.org > <mailto:TLS@ietf.org>> > Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms? > > Why do we need FIPS hybrids? The argument for hybrids is that we don't trust > the code/algorithms that's new. FIPS certification supposedly removes that > concern so can just use the approved PQ implementation. > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
