Hacker News new | past | comments | ask | show | jobs | submit login

Doesn’t NSA object hybrid schemes on weird grounds that current implementations suck, full of implementation errors and all-new PQ-only ones will not?

Edit: reference https://mailarchive.ietf.org/arch/msg/spasm/McksDhejGgJJ6xG6...




That doesn't make much sense as an objection, since the classical cryptography code is better ironed out than the PQ stuff, and the logic to combine the two is fairly simple.

Unless there is an unexpected leap in the viability of quantum cryptanalysis, you should expect that all commercial/standard cryptography with PQ capabilities will run in a hybrid configuration.

I'm only commenting here because there's a pervasive belief that this is controversial in cryptography engineering circles, or that NIST is trying somehow to prevent hybrid schemes from happening, which is simply not the case --- though they may not bother to standardize any particular mechanism of combining ECC/RSA with PQ exchanges (but: they don't standardize stuff like TLS ciphersuites, either).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: