2022.08.07 05:29:31 (1556120326005592064) from Daniel J. Bernstein:
It's great to see the progress on rolling out post-quantum crypto, assuming big quantum computers are coming. The _risks_ of Kyber problems (patents, attacks) aren't a reason to incur the _definite failure_ of doing nothing. But the bleeding-edge Kyber-512 option is a bad idea. https://twitter.com/grittygrease/status/1555201358357270528
2022.08.07 05:34:37 (1556121607118000129) from Daniel J. Bernstein:
If there's a Kyber-512 attack that scales as well as the recent SIKE attack, then, sure, Kyber-1024 is dead too. But if there's an attack that scales like core RSA attacks (NFS for integer factorization), then moving from Kyber-512 and Kyber-768 to Kyber-1024 could save the day.
2022.08.07 05:46:57 (1556124713960689667) from Daniel J. Bernstein:
Some people say "We'll move to larger key sizes if an attack is published"; does this mean we don't care about tons of user data we're feeding into attacker databases _before_ the attack is published? Once we've sent a ciphertext, we can't retroactively add stronger protections.
2022.08.04 16:37:52 (1555201358357270528) from "Nick Sullivan (@grittygrease)":
Thread. Big announcement from Cloudflare today: we have opened our post-quantum cryptography alpha. We now support Kyber, a post-quantum key agreement in Cloudflare’s reverse proxy product and we want you to help test it with us.
[media]