> Am 27.02.2026 um 23:45 schrieb Blumenthal, Uri - 0553 - MITLL > <[email protected]>: > > >> - There does not seem to be any evidence that ML-KEM is weak. I think > >> that if ML-KEM gets badly broken, it will be for unforeseeable reasons > >> (which is a risk for any cryptographic algorithm, including prime- > >> field ECC). > > > > Except that for a hybrid mode, both ML-KEM and ECC must be broken > > simultaneously. > > ECC break under CRQC is a-given. Which should matter for PQC context. As has > been repeated countless times.
There is a misunderstanding here. The hybrid modes are obviously not meant for the time after a CRQC exist. But to manage the risk of relying only on algorithms based on new assumptions until this is the case, while at the same time having a chance to prevent store-now-break-later attacks. > > > I think it is unwise to rely *only* on ML-KEM > > Then don’t — nobody is making you to. > > But don’t make decisions for somebody else, who — I assure you — knows what > s/he is doing (and isn’t trying to impose her “wise/unwise” upon you!). You have missed the important part of the sentence. I am obviously not in the position to impose anything upon anyone. But I expressed that I do not support any draft that does not use hybrid crypto, and provided concrete arguments why. I guess that’s the purpose of this mailing list. Kind regards, Tibor
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
