On Fri, Feb 27, 2026 at 11:19:41PM +0100, Tibor Jager wrote: > > > > Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>: > > - There does not seem to be any evidence that ML-KEM is weak. I think > > that if ML-KEM gets badly broken, it will be for unforeseeable reasons > > (which is a risk for any cryptographic algorithm, including prime- > > field ECC). > > Except that for a hybrid mode, both ML-KEM and ECC must be broken > simultaneously.
Both must be broken, but not simultaneously. If the ML-KEM implementation has side channel or other implementation flaw that breaks security, the attacker can still exploit that to break the ML-KEM part and later break the ECC part with CRQC to fully compromise confidentiality. > For almost every broken cryptosystem there was a time when there > seemed to be no evidence that it is weak. ML-KEM still needs to stand > the test of time. Kyber has had consderable analysis in NISTPQC. There was at least one candidate (based on lattices) that was not advanced because there was too little analysis. And in addition to analyis Kyber in NISTPQC, there has been considerable amount of analyis of MLWE and general lattice problems before that. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
