diff --git a/draft-hale-pquip-hybrid-signature-spectrums.md b/draft-hale-pquip-hybrid-signature-spectrums.md index 4cffa7a..db43ab4 100644 --- a/draft-hale-pquip-hybrid-signature-spectrums.md +++ b/draft-hale-pquip-hybrid-signature-spectrums.md @@ -165,22 +165,27 @@ systems with hardware roots of trust), or where future checks on past authenticity play a role (e.g., digital signatures on legal documents). The relative newness of many (although not all) post-quantum algorithms -means that less cryptanalysis of such algorithms is -available than for long-established counterparts, such as -RSA and elliptic-curve based solutions for confidentiality and -authenticity. This has -drawn attention to hybrid cryptographic schemes, which combine both traditional +means that less cryptanalysis of such algorithms is available than +for long-established counterparts, such as RSA and elliptic-curve based +solutions for confidentiality and authenticity. This has drawn attention +to hybrid cryptographic schemes, which combine both traditional and post-quantum (or more generally next-generation) algorithms in one -cryptographic scheme. These may offer increased assurance for implementers, namely that as long as the security of one of the two component algorithms of +cryptographic scheme. These may offer increased assurance for implementers, +namely that as long as the security of one of the two component algorithms of the hybrid scheme holds, the confidentiality or authenticity offered by that scheme is maintained. Whether or not hybridization is desired depends on the use case -and security threat model. Conservative users -may not have complete trust in the post-quantum algorithms or implementations available, +and security threat model. Conservative users may not have complete trust +in the post-quantum algorithms or implementations available, while also recognizing a need to start post-quantum transition. For such -users, hybridization can support near-term transition while also avoiding trusting solo post-quantum algorithms too early. -On the other hand, hybrid schemes, particularly for authentication, may introduce significant complexity into a system or a migration process, so might not be the right choice for all. For cases where hybridization is determined to be advantageous, a decision on how to hybridize needs to be made. With many options available, this document is intended to provide context on some of the trade-offs and nuances to consider. +users, hybridization can support near-term transition while also avoiding +trusting solo post-quantum algorithms too early. On the other hand, hybrid +schemes, particularly for authentication, may introduce significant complexity +into a system or a migration process, so might not be the right choice for all. +For cases where hybridization is determined to be advantageous, a decision on +how to hybridize needs to be made. With many options available, this document +is intended to provide context on some of the trade-offs and nuances to consider. Hybridization has been looked at for key encapsulation [HYBRIDKEM], and in an initial sense for digital signatures [HYBRIDSIG]. Compared to key @@ -323,10 +328,11 @@ over time. Given the complexity of next generation algorithms, the chance of such discoveries and caveats needs to be taken into account. Of note, some next generation algorithms have received substantial analysis -attention, for example through the NIST Post-Quantum Process [NIST_PQC_FAQ]. Thus, if and when further information on caveats and -implementation issues come to light, it is less likely that a "break" will be -catastrophic. Instead, such vulnerabilities and issues may represent a -weakening of security - which may in turn be offset if a hybrid approach +attention, for example through the NIST Post-Quantum Process [NIST_PQC_FAQ]. +Thus, if and when further information on caveats and implementation issues +come to light, it is less likely that a "break" will be catastrophic. +Instead, such vulnerabilities and issues may represent a weakening of +security - which may in turn be offset if a hybrid approach has been used. The complexity of post-quantum algorithms needs to be balanced against the fact that hybridization itself adds more complexity to a protocol and introduces the risk of implementation mistakes in the