A Post-Quantum Future for Let's Encrypt

Original Article ↗ Hacker News Discussion ↗

Post-quantum threat model and capabilities

  • Several comments note that quantum capabilities are well-modeled theoretically (complexity classes like BQP, Shor’s and Grover-style speedups), even if practical machines don’t exist yet.
  • Security of both classical and PQ schemes is still heuristic: no one can prove their hardness, but many years of failed attacks provide confidence.
  • Some argue “store now, decrypt later” makes encryption migration urgent; others stress that signatures and long‑lived keys are at least as urgent because quantum forgeries would be indistinguishable from classical compromises.

Hybrid crypto, KEMs, and “encrypt twice”

  • Strong pushback against the naïve idea of “just encrypt data twice with two schemes.”
  • Recommended pattern: hybrid key encapsulation (multiple KEMs, e.g., classical + PQ, whose shared secrets are securely combined, then a single symmetric AEAD is used).
  • Repeated emphasis that KEMs are not “just encryption of keys” and that precise terminology matters to avoid insecure constructions.
  • For KEMs, hybrids are widely seen as reasonable; for signatures, hybrids are more controversial because they can weaken some desirable security properties.

Algorithm choices and lattice confidence

  • Discussion centers on lattice-based schemes (ML-KEM, ML-DSA) as current PQ standards, with parameter “security levels” benchmarked against AES and hash strengths.
  • LWE and related lattice problems are described as among the best‑understood hardness assumptions in public‑key crypto, arguably better understood than RSA in some respects.
  • Past PQ failures like SIKE/SIDH are used as cautionary tales but not seen as undermining lattices as a whole.

Merkle Tree Certificates (MTCs) and transparency

  • MTCs promise smaller handshakes (in the common case) and built‑in transparency: every certificate must be in a Merkle tree.
  • Main downsides raised:
    • Clients need continuous out‑of‑band syncing of “landmarks”; offline or flaky environments may fall back to very large PQ signatures.
    • TLS servers and clients become more complex; non‑browser tooling and embedded systems may lag or avoid landmark‑relative certs.
  • MTCs aim to fix weaknesses in today’s Certificate Transparency (SCTs, multi‑log complexity); verifiable indexes are mentioned as a future improvement for monitoring.

Trust, backdoors, and skepticism

  • Some commenters distrust NSA/EU involvement and see no immediate quantum threat, advocating to keep RSA/Ed25519.
  • Others counter that there is no concrete candidate backdoor in standardized PQ schemes and that multiple jurisdictions (including non‑US) are converging on similar lattice‑based designs.