| 1 |
On Tue, 13 Jan 2015 13:36:01 +0100 Chí-Thanh Christopher Nguyễn |
| 2 |
wrote: |
| 3 |
> Andrew Savchenko schrieb: |
| 4 |
> > On Mon, 12 Jan 2015 19:44:46 +0100 Kristian Fiskerstrand wrote: |
| 5 |
> >> Shor's would be effective against discrete logs (including ECC) as |
| 6 |
> >> well, so wouldn't be applicable to this selection. For post-quantum |
| 7 |
> >> asymmetric crypto we'd likely need e.g a lattice based primitive. |
| 8 |
> > Why not to use post-quantum signing together with a traditional one? |
| 9 |
> |
| 10 |
> Indeed. Problem is that so-called post-quantum cryptosystems are |
| 11 |
> sometimes not even secure against non-quantum computers. I remember back |
| 12 |
> when NTRU was the latest hotness, and the breaking and fixing ping-pong |
| 13 |
> that security researchers played between conferences with it, |
| 14 |
> particularly with the signature part. |
| 15 |
|
| 16 |
I think this is a problem of all new crypto solutions: they are |
| 17 |
likely to have flaws at both theory/model and implementation. But |
| 18 |
using them as addition (on AND basis) doesn't hurt security. |
| 19 |
However, as was pointed out in another reply, management overhead |
| 20 |
(second keypair, signature and web of trust) is considered as too |
| 21 |
much now. |
| 22 |
|
| 23 |
> None of these has stood the test of time like RSA or DLP-based crypto. |
| 24 |
> If post-quantum signing is desired, I agree that it should be strongly |
| 25 |
> considered using it in addition to traditional signing. |
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
Best regards, |
| 30 |
Andrew Savchenko |
Archives