Found 1 record.

Status: Reported (1)

RFC 8784, "Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security", June 2020

Errata ID: 8775
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Thom Wiggers
Date Reported: 2026-02-20

Section 6 says:

In addition, the policy SHOULD be set to negotiate only quantum-
secure symmetric algorithms; while this RFC doesn't claim to give
advice as to what algorithms are secure (as that may change based on
future cryptographical results), below is a list of defined IKEv2 and
IPsec algorithms that should not be used, as they are known to
provide less than 128 bits of post-quantum security:

*  Any IKEv2 encryption algorithm, PRF, or integrity algorithm with a
   key size less than 256 bits.

*  Any ESP transform with a key size less than 256 bits.

*  PRF_AES128_XCBC and PRF_AES128_CBC: even though they can use as
   input a key of arbitrary size, such input keys are converted into
   a 128-bit key for internal use.

It should say:

In general, the discussion on Grover's algorithm in the security
considerations needs to be revisited. Since the document was published,
the cryptographic community has come to the wide agreement that Grover's
algorithm has extremely large implementation cost which practically
negates its theoretical advantage over classical computers. 

As such, using (good) 128-bit secure algorithms is just fine.

Notes:

This also transitively affects RFC 9867 which points to this RFC's security considerations.

Report New Errata