Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.
That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.
@filippo Thanks for the post!
Regarding AES128: is it safe *for the moment* or do you think it should be safe for a long time yet ?
And what's your opinion on pre-shared keys ?
I often work on web push, and its encryption (RFC8291) uses an "authentication secret" that if, I understand correctly, works as a pre-shared key (cf. bellow), and AES128. I wonder if it's safe to continue with this protocol
PRK_key = HMAC-SHA-256(auth_secret, ecdh_secret);
IKM = HMAC-SHA-256(PRK_key, key_info || 0x01)
@S1m it's as safe as it always was, and as safe as if QCs were impossible. (Which is to say very safe, no one really thinks AES will get surprise broken.)
\PSKs are fine if you can keep them from being compromised. The scheme you excerpted should be fine if auth_secret is not known to the attacker.
@filippo Thanks a lot for the answer!
So, that's nearly what I had in mind. I wasn't sure for the AES key length: I remember reading that 128 was enough in some places, and that we should move to 256 in some others
Filippo Valsorda
S1m