> Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>: > - There does not seem to be any evidence that ML-KEM is weak. I think > that if ML-KEM gets badly broken, it will be for unforeseeable reasons > (which is a risk for any cryptographic algorithm, including prime- > field ECC).
Except that for a hybrid mode, both ML-KEM and ECC must be broken simultaneously. I think it is unwise to rely *only* on ML-KEM (or any other scheme based on relatively new hardness assumptions), and currently do not support any draft that does not use hybrid cryptography. In particular when the use of hybrid crypto comes with negligible overhead, as for ML-KEM + ECC. For almost every broken cryptosystem there was a time when there seemed to be no evidence that it is weak. ML-KEM still needs to stand the test of time. Best regards, Tibor
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
