Brace Key is not post-quantum
Created by: sebastianv89
The brace key is not providing post-quantum confidentiality and I think it should not be advertised as such. It only provides protection in case elliptic curve cryptography is broken, but not against quantum cryptanalysis in general.
Although Shor's algorithm requires fewer qubits in order to break Ed448-Goldilocks (compared to breaking 3072-bit DH), the difference is not significant. Assume it takes another thirty years until we have fault-tolerant quantum computers big enough to break Ed448-Goldilocks and another two years beyond that to scale up the computer to break 3072-bit DH. That means that the use case is confidentiality for messages that need to remain secure for another thirty years, but no longer than thirty-two years. The exact timeline may turn out to be different, but the point remains that 3072-bit DH will be broken very shortly after Ed448 once large-scale quantum computers become a reality. The uncertainty around the exact timeline in fact makes the practicality of the brace key even more questionable.
Compare this against the standard solution that mixes both the result of a classical (ECC) key-exchange and the result of a IND-CPA post-quantum KEM (or multiple) in the KDF such that both (all) need to be broken in order to break confidentiality. That solution provides confidentiality for data that needs to remain secure forever, even if quantum computers become a reality.
I think it is misleading to say that the brace key provides any kind of post-quantum security.
This comment applies to
- ADR5, section Context
- ADR6, section Consequences
- otrv4, section Security Properties