Hi D. J. Bernstein, one technical concern first, and then two non-technical ones:
At the end of your 5th last para, you make a very strong claim about best estimates. Please provide a technical justification of your claim or provide an authentic reference for that claim. I am asking because to my knowledge, the /formal/ (vs. /cryptographic/computational/) analyses consider that /all/ ECC keys are leaked on the advent of CRQC and essentially model it as a switch to leak all ECC keys. It may be a simplifying assumption for /formal/ analysis that folks have used but that seems to be the state-of-the-art in the /formal/ world. I understand you are a cryptographer and I would like to understand your reasoning.
---I think a couple of your technical points are good and I would like to understand them but your notices make it quite difficult to have a technical discussion. I have to count the paragraphs and any interested reader trying to understand have to count it too, and then read that para and then come back. It seems like an additional burden. Please consider removing them. If it is not possible, please clarify (ideally binary answer) in simple words the intended legal interpretation of these notices whether you allow me to quote parts of your messages /without modification/ to respond to them point-by-point?
---Since you brought up your counting of votes, I have a different interpretation. My vote count is:
Proponents: 20 Opponents: 25 In particular, I see the following missing in your list: * Richard as author of draft-barnes-tls-this-could-have-been-an-email * Ekr as /strongly supporting/ the above draft and explicitly advocating it to be applied to draft-ietf-tls-mlkem [0] * Toerless Eckert [1] (he even created two issues in repo) I may have misunderstood their intention but that is how I interpret it.Several folks (including myself) recorded their objection to anonymous inputs (see the thread [2]). So I didn't count the anonymous "TLS participant" as proponent.
Moreover, your blog is only quoting my first email, which was a non-technical starting point for discussion, which is not representative of all of my concerns. I have given substantial technical feedback and raised several technical concerns in the follow-up discussion based on the modeling and research that I was doing during WGLC.
Best regards, -Usama [0] https://mailarchive.ietf.org/arch/msg/tls/vIGryOB0TU_vD81HUUxXQUNdnN0/ [1] https://mailarchive.ietf.org/arch/msg/tls/nKo0pO7R3zJr-sjUyNdvIB1FKas/ [2] https://mailarchive.ietf.org/arch/msg/tls/YZT5IzoumhTt3C53lQR2WOZNvBU/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
