Remix.run Logo
iririririr a day ago

if i were the nsa, I'd have spent all my research money on attacking ecc+pq, because 1. no self respecting security engineer would deploy bare pq (see cloudflare), 2. no phd research team would attack the combination (well, not before until it's too late) because that's harder than a phd requires (they will target solo pq or solo ecc). 3. it's much easier to "sell". q.e.d. this article.

maqp a day ago | parent | next [-]

Probably not. It's been ~13 years when Snowden said what the NSA is doing is going around the encryption by hacking endpoints. Post quantum cryptography doesn't change any of that. You can still lift TLS keys with exploits for transparent MITM. I'd imagine it's much better ROI to look for vulnerabilities with Mythos, than to attack the algorithms.

g-b-r a day ago | parent [-]

> is going around the encryption by hacking endpoints

Because they weren't (supposedly) able to break the encryption

> than to attack the algorithms

You have an opportunity to introduce new, broken, algorithms; they exploited it with DES, tried to exploit it with ECC, why wouldn't they try it with post-quantum (which they've kind of been pushing)?

tptacek a day ago | parent | prev [-]

This is completely backwards. The more cryptography-literate you are, the more likely it is you think hybrids are silly. Plenty of cryptographers think this is all bullshit, and that ECC+MLKEM makes about as much sense as an AES+Serpent cascade. It is simultaneously the case that MLKEM is far less mysterious than programmers on message boards think it is, and that conventional ECC and finite field cryptography is much more mysterious and spooky than they think it is.

(I'm only somewhat cryptography-literate and so I would myself default to a hybrid, though that opinion might change the first time I bother banging together an MLKEM implementation.)

g-b-r a day ago | parent [-]

> The more cryptography-literate you are, the more likely it is you think hybrids are silly

You are if you're considering a cypher that's extremely likely to be secure.

In this case we're ok to introduce something with a chance to be quantum-resistant before it's been studied enough, because we want a chance of being quantum-resistant soon.

But that's only ok if you add it to the existing, reliable, systems.

Were there not the issue of quantum computers we wouldn't even be considering to use different cyphers at this time.

tptacek a day ago | parent [-]

It's "cipher". But we're not talking about ciphers; we're talking about key establishment algorithms.

xnorswap a day ago | parent | next [-]

It's cypher in British English.

g-b-r a day ago | parent | prev [-]

Ok, yes, replace "cypher" with cryptographic primitive.

Maybe I said cypher for the AES+Serpent mention (and because I like cyberpunk xD)