IETF list is seeing some action.
Daniel J. Bernstein (of curve25519 fame) has lodged a complaint about the transparency of their process:
https://cr.yp.to/2025/20251006-transparency.pdf
Following an earlier complaint which he filed about their rejection of so-called "hybrid encryption" (combining post-quantum encryption with classical encryption so that it is conjectured to be safe against quantum computers, but also it uses classical encryption so it is clearly no less safe than plain classical algorithms. It is implied that the NSA could have a hand in resisting hybrid encryption because it would (self-evidently) be quite a bit more secure than an unproven "post-quantum" algo.
https://cr.yp.to/2025/20250812-non-hybrid.pdf
A funny thing about encryption is that there isn't really a way to *prove* it's secure, you believe it's secure when after 10 or 20 years, no mathematicians have found any tricks to break it...
So I think Bernstein's position, at least in favor of hybrid encryption, is a fair one. I would upgrade SSL to use some fancy schmancy quantum computer resistant encryption algorithm IF it was also going to encrypt with regular old encryption at the same time.
Regarding the complaint about the complaint, no idea who is in the wrong here, but I can easily imagine the IETF acting like a cabal ¯\_(ツ)_/¯
Daniel J. Bernstein (of curve25519 fame) has lodged a complaint about the transparency of their process:
https://cr.yp.to/2025/20251006-transparency.pdf
Following an earlier complaint which he filed about their rejection of so-called "hybrid encryption" (combining post-quantum encryption with classical encryption so that it is conjectured to be safe against quantum computers, but also it uses classical encryption so it is clearly no less safe than plain classical algorithms. It is implied that the NSA could have a hand in resisting hybrid encryption because it would (self-evidently) be quite a bit more secure than an unproven "post-quantum" algo.
https://cr.yp.to/2025/20250812-non-hybrid.pdf
A funny thing about encryption is that there isn't really a way to *prove* it's secure, you believe it's secure when after 10 or 20 years, no mathematicians have found any tricks to break it...
So I think Bernstein's position, at least in favor of hybrid encryption, is a fair one. I would upgrade SSL to use some fancy schmancy quantum computer resistant encryption algorithm IF it was also going to encrypt with regular old encryption at the same time.
Regarding the complaint about the complaint, no idea who is in the wrong here, but I can easily imagine the IETF acting like a cabal ¯\_(ツ)_/¯
@cjd My understanding was the good old RSA was secure against quantum with sufficient key size. I.e. a 4096 bit key requires a 4096 qbit quantum computer to solve. 4095 qbits does not "mostly" solve it.
Big keys are helpful, but there are also algorithms which are conjectured to be entirely safe against quantum computers. But it'll take a few decades before we find out if they're safe at all...
@cjd @customdesigned We don't even know if "quantum" computing is possible.
There are some "quantum gadgets" like that factor the number 15, but we don't know if it's possible at a meaningful scale.
That's why bolting on an additional algo to your existing one makes sense, it's a little extra computation for future proofing...
But switching to a potentially insecure algo makes no sense at all...
That's why bolting on an additional algo to your existing one makes sense, it's a little extra computation for future proofing...
But switching to a potentially insecure algo makes no sense at all...
@cjd @dcc
May have been vaporware, or top secret ware: https://medium.com/rigetti/the-rigetti-128-qubit-chip-and-what-it-means-for-quantum-df757d1b71ea
Per my memory, breaking 128 bit ECC requires somewhere around 4000 qubits, so no mainstream encryption is considered to be endangered as of today...
