On 7/30/25 2:17 AM, ma bing wrote:
NIST has approved HQC (Hamming Quasi-Cyclic) in addition to the
already approved ciphers, I suggest to switch from ECC+Kyber to
HQC+Kyber; Since ECC is vulnerable to quantum computer, using
ECC+Kyber is likely a false positive, so I think HQC+Kyber is better.
In conclusion, I think there are 3 concerns.
Eric already addressed the main concern. Hybrid is to give us confidence
to deploy these new algorithms.
The other issue is HQC is also significantly larger than ML-KEM*. Part
of what makes hybrid doable is that ECC is realtively small, so adding
it does not add significant size over ML-KEM's own keys. Performance was
such that Amazon found that they could 'just do it' and keep chugging.
That removes a significant barrier to deployment.
The second issue is there is a lag time between 'approval' and
standards. NIST has decided to move forward with HQC as a NIST standard,
but that standard is not yet available. One it is I would expect to see
HQC-ECC hybrids out there as well, just so our infrastructure doesn't
fall over if ML-KEM becomes classically broken, but as I said, there is
no HQC standard, so
Bob
*I'm taking your use of Kyber to mean ML-KEM. Typically we refer to
Kyber when we are talking pre-standardized variants of the algorithm.
Using HQC would have the same issues as using Kyber (rather than
ML-KEM). It was a stop-gap until we had ML-KEM.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
