> In particular when the use of hybrid crypto comes with negligible overhead, as for ML-KEM + ECC.
X25519 is almost twice as slow as MLKEM768 ( https://blog.cloudflare.com/pq-2025/#ml-kem-versus-x25519); P-256 is about the same On Fri, Feb 27, 2026, 5:25 PM Tibor Jager <[email protected]> wrote: > > > > Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected] > >: > > - There does not seem to be any evidence that ML-KEM is weak. I think > > that if ML-KEM gets badly broken, it will be for unforeseeable reasons > > (which is a risk for any cryptographic algorithm, including prime- > > field ECC). > > Except that for a hybrid mode, both ML-KEM and ECC must be broken > simultaneously. > > I think it is unwise to rely *only* on ML-KEM (or any other scheme based > on relatively new hardness assumptions), and currently do not support any > draft that does not use hybrid cryptography. In particular when the use of > hybrid crypto comes with negligible overhead, as for ML-KEM + ECC. > > For almost every broken cryptosystem there was a time when there seemed to > be no evidence that it is weak. ML-KEM still needs to stand the test of > time. > > Best regards, > Tibor > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
