top | item 40770315

(no title)

ogisan | 1 year ago

I disagree. Avoiding PKI and post-quantum security correlate very much. Even under plausibly post-quantum assumptions we only have a couple of assumptions from which we can build public key encryption. In contrast, here they avoid all use of public key cryptography which makes it provably post-quantum secure. It’s not using a buzzword for the sole sake of selling the paper. In general, using “minimal cryptography” (like random oracles / one-way functions) translates to real-world efficiency because you can instantiate these from a plethora of different concrete candidates.

discuss

ilya_m|1 year ago

> Avoiding PKI and post-quantum security correlate very much. Even under plausibly post-quantum assumptions we only have a couple of assumptions from which we can build public key encryption.

These statements presuppose an overly expansive definition of PKI, i.e., distribution of keys for public-key encryption. A more conservative definition is PKI = availability of trustworthy publicly verifiable signatures (i.e., public-key certificates). Post-quantum signatures can be based on target collision-resistant hash functions, like XMSS.

The paper assumes pairwise private and authenticated channels. While in practice this is not necessarily a good substitute for PKI, in theory it is a strictly weaker setting.