> Admittedly your answer (reported here below) was not addressing my concerns. > . . . . . > A hybrid still has a chance of being secure if old good crypto would be > successfully attacked, so your argument does not stand.
Let me repeat myself. If the data must remain secure for a long time , then the Classic part does not help, and the security of that data lies solely within the PQ component. Which part of this “does not stand”? The only difference the Classic part makes is probably preventing the data from being compromised early — which for long-time-valuable data is not enough. (This extra protection usually does not hurt , but in several use cases it does not help , and it adds the cost of introducing extra complexity in codebase and infrastructure management. For some — it is OK, so there’s tls-ecdhe-mlkem draft, that nobody objects to. For others — it is not OK, their needs are addressed by tls-mlkem.) > To build confidence in RSA took 20 years or more. I do not expect that PQC > will have such a remarkably different path. You must have missed one of my previous emails — let me (again) repeat myself: System Proposed Standardized Lag-to-Standardization Math-Studied-For-How-Long RSA 1977 ~1993–1995 ~15–20 years Number theory: 2000+ years ECC 1985 ~1998–2000 ~13–15 years Elliptic curves: ~150 years Lattice crypto 1996 2022–2024 ~25 years Lattices: ~150–200 years McEliece 1978 2024 ~46 years Codes: ~60-75 years I hope this table is self-explanatory, and addresses your comment.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
