Hi Nadim, Sorry for missing to clearly state this, it is already late here.
Yes, I oppose, with the arguments provided in the earlier e-mails. Sincerely, Tibor > Am 28.02.2026 um 00:05 schrieb Nadim Kobeissi <[email protected]>: > > Dear Tibor, > > Thank you for sharing your thoughts. Just to clarify: are you formally > stating your opposition to this draft being published? If so, it may be > helpful to do so explicitly, so that your opposition is counted by the chairs. > > Thank you, > > On Fri, Feb 27, 2026, at 11:19 PM, Tibor Jager wrote: >>>> Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>: >>> - There does not seem to be any evidence that ML-KEM is weak. I think >>> that if ML-KEM gets badly broken, it will be for unforeseeable reasons >>> (which is a risk for any cryptographic algorithm, including prime- >>> field ECC). >> >> Except that for a hybrid mode, both ML-KEM and ECC must be broken >> simultaneously. >> >> I think it is unwise to rely *only* on ML-KEM (or any other scheme >> based on relatively new hardness assumptions), and currently do not >> support any draft that does not use hybrid cryptography. In particular >> when the use of hybrid crypto comes with negligible overhead, as for >> ML-KEM + ECC. >> >> For almost every broken cryptosystem there was a time when there seemed >> to be no evidence that it is weak. ML-KEM still needs to stand the test >> of time. >> >> Best regards, >> Tibor >> >> _______________________________________________ >> TLS mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >> Attachments: >> * smime.p7s > > -- > Nadim Kobeissi > Symbolic Software • https://symbolic.software
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
