Dear Tibor, Thank you for sharing your thoughts. Just to clarify: are you formally stating your opposition to this draft being published? If so, it may be helpful to do so explicitly, so that your opposition is counted by the chairs.
Thank you, On Fri, Feb 27, 2026, at 11:19 PM, Tibor Jager wrote: >> Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>: >> - There does not seem to be any evidence that ML-KEM is weak. I think >> that if ML-KEM gets badly broken, it will be for unforeseeable reasons >> (which is a risk for any cryptographic algorithm, including prime- >> field ECC). > > Except that for a hybrid mode, both ML-KEM and ECC must be broken > simultaneously. > > I think it is unwise to rely *only* on ML-KEM (or any other scheme > based on relatively new hardness assumptions), and currently do not > support any draft that does not use hybrid cryptography. In particular > when the use of hybrid crypto comes with negligible overhead, as for > ML-KEM + ECC. > > For almost every broken cryptosystem there was a time when there seemed > to be no evidence that it is weak. ML-KEM still needs to stand the test > of time. > > Best regards, > Tibor > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > Attachments: > * smime.p7s -- Nadim Kobeissi Symbolic Software • https://symbolic.software _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
