1 |
On Tue, 13 Jan 2015 13:36:01 +0100 Chí-Thanh Christopher Nguyễn |
2 |
wrote: |
3 |
> Andrew Savchenko schrieb: |
4 |
> > On Mon, 12 Jan 2015 19:44:46 +0100 Kristian Fiskerstrand wrote: |
5 |
> >> Shor's would be effective against discrete logs (including ECC) as |
6 |
> >> well, so wouldn't be applicable to this selection. For post-quantum |
7 |
> >> asymmetric crypto we'd likely need e.g a lattice based primitive. |
8 |
> > Why not to use post-quantum signing together with a traditional one? |
9 |
> |
10 |
> Indeed. Problem is that so-called post-quantum cryptosystems are |
11 |
> sometimes not even secure against non-quantum computers. I remember back |
12 |
> when NTRU was the latest hotness, and the breaking and fixing ping-pong |
13 |
> that security researchers played between conferences with it, |
14 |
> particularly with the signature part. |
15 |
|
16 |
I think this is a problem of all new crypto solutions: they are |
17 |
likely to have flaws at both theory/model and implementation. But |
18 |
using them as addition (on AND basis) doesn't hurt security. |
19 |
However, as was pointed out in another reply, management overhead |
20 |
(second keypair, signature and web of trust) is considered as too |
21 |
much now. |
22 |
|
23 |
> None of these has stood the test of time like RSA or DLP-based crypto. |
24 |
> If post-quantum signing is desired, I agree that it should be strongly |
25 |
> considered using it in addition to traditional signing. |
26 |
|
27 |
|
28 |
|
29 |
Best regards, |
30 |
Andrew Savchenko |