Filippo Valsorda

Last year, my position was that we still had time to design PQ authentication mechanisms.

Now, based on the pace of progress and on statements like Google's, I believe:

1. we need to finish rolling out PQ key exchange yesterday
2. we need to start rolling out PQ auth now
3. it's too late to ship any new non-PQ design or system

https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/

Quantum frontiers may be closer than they appear

An overview of how Google is accelerating its timeline for post-quantum cryptography migration.

Google
3:43pmWeb
Show threadFrederik Braun �2h ago
@filippo I like their aggressive timeline, but I'm not sure there's any specific argument or reason that explains why it should be expedited. Am I missing something?
Show threadRelish the Cracker1h ago
@freddy @filippo as far as I can tell that timeline is because that is the timeline that has been set by NSA / NIST. Google is probably just trying to protect its access to sell devices / services to the government.
Show threadRay Lee1h ago

@freddy @filippo

Scott Aaronson writes:

"I’m going to close this post with a warning. When Frisch and Peierls wrote their now-famous memo in March 1940, estimating the mass of Uranium-235 that would be needed for a fission bomb, they didn’t publish it in a journal, but communicated the result through military channels only. As recently as February 1939, Frisch and Meitner had published in Nature their theoretical explanation of recent experiments, showing that the uranium nucleus could fission when bombarded by neutrons. But by 1940, Frisch and Peierls realized that the time for open publication of these matters had passed.

"Similarly, at some point, the people doing detailed estimates of how many physical qubits and gates it’ll take to break actually deployed cryptosystems using Shor’s algorithm are going to stop publishing those estimates, if for no other reason than the risk of giving too much information to adversaries. Indeed, for all we know, that point may have been passed already. This is the clearest warning that I can offer in public right now about the urgency of migrating to post-quantum cryptosystems, a process that I’m grateful is already underway."

https://scottaaronson.blog/?p=9425

More on whether useful quantum computing is “imminent”

These days, the most common question I get goes something like this: A decade ago, you told people that scalable quantum computing wasn’t imminent. Now, though, you claim it plausibly is immi…

Shtetl-Optimized
Show threadFélix2h ago
@filippo too late forever or too late for initial deployments?
Show threadKevin1h ago
@filippo Interesting, I just cam across https://infosec.exchange/@mttaggart/116163107290977793 the other day, basically saying that it won't be feasible any time soon.
Show threadJari Pennanen1h ago

@filippo You got me interested to know what it would look like in authorized_keys, and can it be this short! Looks neat.

ssh-mldsa44-ed25519 434f4d505349472d4d4c44534134342d456432353531392d534841353132

https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/02/

Composite ML-DSA Signatures for SSH

This document describes the use of PQ/T composite signatures for the Secure Shell (SSH) protocol. The composite signatures described combine ML-DSA as the post-quantum part and the elliptic curve signature schemes ECDSA, Ed25519 and Ed448 as the traditional part.

IETF Datatracker