On 3/10/21 11:18 PM, Damien Miller wrote:
>> There are those who feel that FFC should be thrown away in favor of ECC
>> key exchanges and those who file that PQC is coming soon and will be
>> able to factor ECC faster than FCC.
>
> I'm pretty much one of them :) I'm skeptical whether useful QCs will be
> a thing in my lifetime, but the probability is far enough above zero that
> it makes sense to use PQC if the costs aren't too high.
On that note, I wonder if we should turn on post-quantum key exchange in the
not too distant future, as the default most-preferred kex. IIUC the one we
use is secure if our version of NTRU is secure *or* Curve25519 is secure,
and since crypto code is constant-time there is little room for memory
unsafety vulnerabilities. So it is low-risk, high-reward, unless I am missing
something.
> -d
Sincerely,
Demi
>> There are those who feel that FFC should be thrown away in favor of ECC
>> key exchanges and those who file that PQC is coming soon and will be
>> able to factor ECC faster than FCC.
>
> I'm pretty much one of them :) I'm skeptical whether useful QCs will be
> a thing in my lifetime, but the probability is far enough above zero that
> it makes sense to use PQC if the costs aren't too high.
On that note, I wonder if we should turn on post-quantum key exchange in the
not too distant future, as the default most-preferred kex. IIUC the one we
use is secure if our version of NTRU is secure *or* Curve25519 is secure,
and since crypto code is constant-time there is little room for memory
unsafety vulnerabilities. So it is low-risk, high-reward, unless I am missing
something.
> -d
Sincerely,
Demi
Attached Files:
-
OpenPGP_signature (0.81 KB)