WingNews logo WingNews
top | item 43742775

(no title)

kevvok | 10 months ago

With the industry pivoting towards focussing on post-quantum algorithms, I’d be surprised if yet another elliptic curve gains much traction.

discuss

order

ryao|10 months ago

That seems like a mistake, since PQAs are an objective downgrade from ECC in everything except for immunity to Shor’s algorithm. It is not clear that machines with the tens of millions of qubits needed to run Shor’s algorithm will be constructed since there is no quantum moore’s law that gives us a clear roadmap to making them. If they never are made, then all of these PQAs will have been a waste and we will have missed opportunities for improvements from improved curves. For example, the failure to deploy EdDSA certificates in PKI has been a missed opoortunity. I hope the industry reverses course and deploys them, since they are a clear improvement over the current ECDSA certificates.

I can see using hybrid PQAs for key agreement as a hedge against quantum machines actually being constructed, but with the upcoming 47 day certificates, there really is no need to avoid EdDSA. If we come anywhere near constructing a quantum computer that can crack the public keys, the industry could pivot to ML-DSA with the older EdDSA certificates expiring before there is any risk of them being cracked.

Retr0id|10 months ago

If we assume cryptographically-relevant quantum computers will one day exist, you don't just need to worry about certs being cracked before they expire, but also the ECDH-established session keys being cracked. These keys are ephemeral, but if you store the ciphertexts long-term, you can crack them at any point in the future (aka https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).

Retr0id|10 months ago

The industry is mostly pivoting to hybrid schemes, and it's sensible to want a higher-security curve to pair with a higher-security PQ algorithm.

ryao|10 months ago

The pivot is occurring on both key agreement and signatures. Hybrid schemes currently only exist for key agreement. Perfect forward secrecy means that as long as the key agreement schemes are secure against Shor’s algorithm, we can afford to do a much more leisurely roll out of PKI with PQ signing algorithms. Whether people will opt for “hybrid” signatures is yet to be seen.