Bas Westerbaan writes: > We think it's worth it now, but of course we're not going to keep > hybrids around when the CRQC arrives.
I think this comment illustrates an important ambiguity in the "CRQC" terminology. Consider the scenario described in the following paragraph from https://blog.cr.yp.to/20240102-hybrid.html: Concretely, think about a demo showing that spending a billion dollars on quantum computation can break a thousand X25519 keys. Yikes! We should be aiming for much higher security than that! We don't even want a billion-dollar attack to be able to break _one_ key! Users who care about the security of their data will be happy that we deployed post-quantum cryptography. But are the users going to say "Let's turn off X25519 and make each session a million dollars cheaper to attack"? I'm skeptical. I think users will need to see much cheaper attacks before agreeing that X25519 has negligible security value. It's easy to imagine the billion-dollar demo being important as an advertisement for the quantum-computer industry but having negligible impact on cryptography: * Hopefully we'll have upgraded essentially everything to post-quantum crypto before then. * It's completely unclear that the demo should or will prompt users to turn off hybrids. * On the attack side, presumably real attackers will have been carrying out quantum attacks before the public demo happens. For someone who understands what "CRQC" is supposed to mean: Is such a demo "cryptographically relevant"? Is the concept of relevance broad enough that Google's earlier demonstration of "quantum supremacy" also counts as "cryptographically relevant", so CRQCs are already here? ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls