From previous RT of ' post - the most compelling argument for the PQC work underway now.
eprint.iacr.org/2015/1075.pdf
read image description
ALT
2
2
4
Conversation
If one really believes that, the most rational choice is 64kbit RSA not dubious PQ systems that break to classical math on laptops.
2
The default OpenSSH key exchange since OpenSSH 8.9 is sntrup761x25519-sha512@openssh.com which is only broken if both ed25519 and the PQC algorithm they chose are broken.
1
1
Key exchange is what needs to be improved in the short term because that's what has to hold up to future attacks. It's already almost entirely ECDHE with ed25519 or in some cases still P-256. Only legacy setups still use RSA for key exchange because it lacks forward secrecy.
TLS 1.3 only has ECDHE key exchange. DHE and RSA key exchange are gone. It still supports RSA for server / client authentication but that's not as important and doesn't need to be secure into the future. It's a legacy feature since it isn't an option for key exchange anymore.
1
If you're using RSA certs with TLS 1.3, it doesn't matter if RSA is broken in 10 years. Does matter if x25519 is broken in 10 years.
RSA is heavily used for update signing, etc. since P-256, ed25519, etc. are slower to verify. Common not to have easy key rotation for that too.
1
1
Show replies