The security analysis of post-quantum crypto is far less mature than the
security analysis of ECC was when the Internet moved to ECC:
* 48% of the 69 round-1 submissions to the NIST post-quantum
competition in 2017 have been broken by now.
* 25% of the 48 submissions unbroken during round 1 have been broken
by now.
* 36% of the 28 submissions _selected by NIST in 2019 for round 2_
have been broken by now.
See https://cr.yp.to/papers.html#qrcsp for the data, and slide 11 of
https://cr.yp.to/talks.html#2024.01.11 for a graph showing when the
breaks were published.
We have to try to protect users against quantum computers. This means
rolling out post-quantum crypto asap. But we also need a simple rule of
always using hybrids in case the post-quantum crypto fails. This rule
has been followed by every major post-quantum deployment so far, has
played an important role in _encouraging_ post-quantum deployment, and
meant that the break of SIKE didn't turn into an immediate break of
real user data that Google and Cloudflare had encrypted with CECPQ2.
NSA and GCHQ have been arguing to the contrary. Their arguments don't
hold up to examination; see https://blog.cr.yp.to/20240102-hybrid.html.
But the arguments are still sitting there, and NSA's market influence
cannot be ignored. I would treat non-hybrid drafts in IETF the same way
as "export" options in code: they're security risks. I would encourage
explicit withdrawal of any such drafts.
---D. J. Bernstein
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
