Score:1

Is RSA the only current practical option for asymmetric encipherment of symmetric keys at rest?

ru flag

As of 2021, is RSA the only practical (i.e. safe, production-ready) option for asymmetric encipherment of symmetric keys at rest? ECDSA is obviously preferable over RSA in the case of signing, but (unless I'm woefully misinformed) it doesn't support key encipherment. If RSA is the only practical option at present, are there any notable efforts toward future alternatives that I should be aware of?

To be clear: I'm aware that RSA is still more than good enough today, outside of very exacting circumstances. However, I'd be remiss if I didn't at least investigate the possibility of alternatives with better long-term prospects.

The context I'm primarily interested in is asynchronous multiparty data sharing, where mutual key agreement with ECDH isn't possible due to the lack of realtime interaction between parties. That said, I'm also asking out broader curiosity, so I'd be interested in answers that are more narrowly applicable to other contexts.

user1686 avatar
cn flag
Is (EC)DH really not possible? I had the impression that that's exactly how e.g. ElGamal encryption worked in PGP/GnuPG with DSA keys.
Score:4
my flag

As of 2021, is RSA the only practical (i.e. safe, production-ready) option for asymmetric encipherment of symmetric keys at rest?

Of course not, there are a number of alternatives. For one, there is the Integrated Encryption Scheme, which can be used with either finite fields (e.g. modulo a 2048 bit prime), or over an elliptic curve. While not nearly as common as RSA, it is certainly in use.

The issue for both RSA and IES is that both can be broken by a Quantum Computer; there is an active standardization effort for schemes that are not so vulnerable, see here for the current status.

ru flag
Thanks. I somehow forgot about the NIST PQC project, which is surprising considering how amusing I found the whole "discretisation attack" kerfuffle. On that note, are you aware of any (preferably recent) analysis or summary of the current state of round 3, in terms of current feelings from the cryptography community? (Subjective, I know - I'm mostly just curious.)
poncho avatar
my flag
@Polynomial: I haven't heard anything from either NIST or what I could consider the consensus of the crypto community. I personally expect (on the KEM/Encrypt side) for NTRU and McEliece to be approved. On the signature side, it's not nearly as clear; I can see arguments for both Falcon and Dilithium - currently, Falcon looks a bit more likely at the moment, but only a bit more (and also I can see NIST going with either Rainbow or possibly reaching into the alternative with Sphincs+ as a second choice...)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.