%% You should probably cite draft-whyte-select-pkc-qsh-02 instead of this revision. @techreport{whyte-select-pkc-qsh-00, number = {draft-whyte-select-pkc-qsh-00}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-whyte-select-pkc-qsh/00/}, author = {John M. Schanck and William Whyte and Zhenfei Zhang}, title = {{Criteria for selection of public-key cryptographic algorithms for quantum-safe hybrid cryptography}}, pagetotal = 14, year = 2015, month = sep, day = 21, abstract = {Authenticated key exchange mechanisms instantiated with cryptosystems based on integer factorization, finite field discrete log, or elliptic curve discrete log, are believed to be secure now but are vulnerable to a harvest-then-decrypt attack where an attacker who cannot currently break the mechanism records the traffic anyway, then decrypts it at some point in the future when quantum computers become available. The Quantum-safe Hybrid approach is a modular design, allowing any authenticated key exchange mechanism to be protected against the harvest-then-decrypt attack by exchanging additional secret material protected with an ephemeral key for a quantum-safe public key cryptographic algorithm and including that secret material in the Key Derivation Function (KDF) run at the end of the key exchange. This approach has been proposed in TLS as the Quantum-safe Hybrid handshake mechanism for Transport Layer Security protocol (QSH\_TLS). This document provides a guideline to criteria for selecting public key encryption algorithms approved for experimental use in the quantum safe hybrid setting.}, }