@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman I'm preferring X-Wing in my designs, but I don't think hybrid should be required, esp in gov systens.
Conversation
Notices
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 14-Jan-2025 22:49:23 JST 
Soatok Dreamseeker
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 14-Jan-2025 22:49:22 JST 
Rich Felker
@soatok @risottobias @khm @ambiguous_yelp @sammi @joelanman Anything not hybrid is betting on unproven cryptography. And doing it on a deceptive claim that risk of real world Shor's algorithm is higher than risk of trusting new crypto that hasn't stood for decades without breaking.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 14-Jan-2025 23:23:35 JST
Soatok Dreamseeker
@dalias @risottobias @khm @ambiguous_yelp @sammi @joelanman What exaxtly do you mean "unproven"?
The consensus among lattice experts and cryptanalysts is that, while there is some algebraic structure to some schemes that might be interesting targets for future attacks, their security is pretty well understood. NTRU and whatnot have been around for longer than AES. Is AES "unproven"?
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 14-Jan-2025 23:23:35 JST
Rich Felker
@soatok @risottobias @khm @ambiguous_yelp @sammi @joelanman No because AES is actually used and has things of high value behind it. The PQ stuff doesn't.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 15-Jan-2025 00:50:57 JST
Rich Felker
@soatok @risottobias @khm @ambiguous_yelp @sammi @joelanman No, it's that, short of formal proof of security which is believed impossible, the only proof I accept is that breaking it would have been worth billions but nobody has done it.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 15-Jan-2025 00:50:58 JST
Soatok Dreamseeker
@dalias @risottobias @khm @ambiguous_yelp @sammi @joelanman Ah. So it's all about that sunk cost, rather than the consensus of experts. I can't help you with that, as I don't own a time machine.
-
Embed this notice
jaseg (jaseg@chaos.social)'s status on Wednesday, 15-Jan-2025 02:22:03 JST 
jaseg
@soatok @risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman
Another point worth noting is that the way they implemented PFS in signal's ratchet, it's not like you could compromise a session by breaking a single key exchange. Instead, in a hypothetical store-now-decrypt-later attack you would have to have a (gapless!) history of all traffic in either direction between two devices since they established contact, and you'd have to crack thousands of key exchanges.
Rich Felker repeated this. -
Embed this notice
jaseg (jaseg@chaos.social)'s status on Wednesday, 15-Jan-2025 02:22:04 JST
jaseg
@soatok @risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman Maybe it's worth noting at this point that signal is currently in the process of implementing a hybrid protocol for key agreement [1].
Rich Felker repeated this. -
Embed this notice
jaseg (jaseg@chaos.social)'s status on Wednesday, 15-Jan-2025 02:23:52 JST
jaseg
@soatok @risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman
Also note that all these protocol messages are never sent in the plain. They get tunneled over TLS, so on top of breaking all of signals DH-key exchanges, you'd first need to break a bunch of TLS connections too.
-
Embed this notice
All GNU social JP content and data are available under the