On 24-May-26 06:10, Viktor Dukhovni wrote:
On Sat, May 23, 2026 at 03:58:02PM -0000, D. J. Bernstein wrote:
First, risk comparison has to look at not just probability but impact.
For example: https://arxiv.org/abs/2603.28846 shows that a plausible
model of a not-many-years-from-now quantum computer will be able to
break about 2^15 ECC keys per year. That's very bad for those keys,
times the number of quantum computers that the attacker can afford at
that point, but it's still far smaller than the number of PQ keys that
one would expect to be broken via a single PQ software bug.
Perhaps I've been skimming all the wrong posts, but finally I'm looking
at a tangible argument rather than litigation of process or motivations,
in which you do in fact assign more weight to the risk of near-term
PQ-compromise and less to the import of near-term ECC obsolescence than
my strawman hypothetical "NSA" posture.
<snip>
This core argument for ECC+PQ is _not_ dependent
upon any guesses for when the first quantum computers will appear.
Assuming that means "breaking two algorithms is always harder than
breaking one algorithm", that is very hard to argue against, from
my point of view as a crypto ignoramus.
It doesn't follow from that we shouldn't document how to apply
PQ-only algorithms, as long as we *also* document and cite
this risk analysis.
Regards/Ngā mihi
Brian Carpenter
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
