Bas Westerbaan

Also applies to most other privacy tech until its ubiquitous

@jedisct1 There is a use for Signal if it’s PQ. there was an RWC talk this year

Is there interest in key blinding for signature schemes (with possible extensions to ML-DSA)? If so, would it be worth continuing our work on ietf.org/archive/id/dra… ?

@crypto_carsten @cjpatton_ You got this Carsten :)

@cjpatton_ Oh, if only it was so easy...

It's gonna be a big year for anonymous credentials. Let's make 'em PQ

@thefrozenfire @cjpatton_ Standardized when? Real risk they’ll be dead on arrival.

@cjpatton_ Verifying any arbitrary signature scheme can be cheap with GROTH16, and it's subversion zero knowledge, but it's not zero knowledge sound.

@IanSmith_HSA @veorq #section-4.3" target="_blank" rel="nofollow noopener">ietf.org/archive/id/dra…

@bwesterb @veorq Reference? It wasn't in the click through or paper. This is still the wrong architecture but a 32 byte 'half' wouldn't be an egregiously bad security flaw. In a manual?

@IanSmith_HSA @veorq The other half, an ML-KEM shared secret, is 32 bytes.

Reading the article closely, the vendor is saying they encrypt half a key with PQC and half a key with elliptic curves. The Quantum Attacker will be able to break the elliptical curve portion and then brute force or Grover's the other half. My post attempted to show this is "the wrong way to hybrid."

@IanSmith_HSA @veorq Where is this “half a key” coming from.

@veorq @bwesterb Half a key is faster to brute force on silicon for the next few decades. It is also possible on distributed workloads and this is very easy to do in parallel on silicon. My point was that they should never allow the possibility to brute force "half" at once.

@IanSmith_HSA Even if Grover were practical (which it isn't), then your suggested attack doesn't work: in TLS each component of the hybrid contributes its own secret. Without the 32-byte ML-KEM secret, you can't make any progress, even if you do have the ECDH one.

@IanSmith_HSA Sam Jaques has a great talk on this topic. youtube.com/watch?v=eB4po9…

@rvcas Yeah, it’s great :)

@bwesterb Yes I know, it’s just cool to see

AWS giving interesting warnings now

just one click to see who is post-quantum secure (and who is not) now in Cloudflare Radar

We’re continuing our work in @googlechrome to build safe, efficient post-quantum crypto on the web (10 years strong!) & now testing HTTPS using Merkle Tree Certificates (MTCs). Thanks for the collab @bwesterb @cloudflare! More details in goo.gle/3MSAYnS 🕸️🔒🌲

@benjamin_hcap @wallstengine Let's go!

@wallstengine quantum proofing the web by 2027

$GOOGL is testing quantum-resistant HTTPS in Chrome using Merkle Tree Certificates, to protect certificate validation from future quantum attacks without blowing up certificate sizes. Cloudflare $NET is partnering on live trials, and Google is targeting broader CA rollout by 2027

@KreizJordy @wallstengine Not the first time! blog.cloudflare.com/the-tls-post-q…

@wallstengine Didnt expect $GOOG and $NET to partner

@Solix_Trade @wallstengine That's why we're running trails as we speak! So far it's looking good. We'll publish soon!

@wallstengine Wow, this is actually pretty cool. Using Merkle Trees to future-proof HTTPS is smart, and keeping the certs small is key. Curious to see how it performs in the wild.