> Am 28.02.2026 um 16:43 schrieb Ilari Liusvaara <[email protected]>: > > On Fri, Feb 27, 2026 at 11:19:41PM +0100, Tibor Jager wrote: >> >> >>>> Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>: >>> - There does not seem to be any evidence that ML-KEM is weak. I think >>> that if ML-KEM gets badly broken, it will be for unforeseeable reasons >>> (which is a risk for any cryptographic algorithm, including prime- >>> field ECC). >> >> Except that for a hybrid mode, both ML-KEM and ECC must be broken >> simultaneously. > > Both must be broken, but not simultaneously. > > If the ML-KEM implementation has side channel or other implementation > flaw that breaks security, the attacker can still exploit that to break > the ML-KEM part and later break the ECC part with CRQC to fully > compromise confidentiality.
You’re right, in the store-now-break later setting it is not simultaneously. Thank you! > >> For almost every broken cryptosystem there was a time when there >> seemed to be no evidence that it is weak. ML-KEM still needs to stand >> the test of time. > > Kyber has had consderable analysis in NISTPQC. There was at least > one candidate (based on lattices) that was not advanced because > there was too little analysis. > > And in addition to analyis Kyber in NISTPQC, there has been considerable > amount of analyis of MLWE and general lattice problems before that. Many other cryptosystems have received considerable analysis before they were broken. I am not saying ML-KEM is insecure. It is a very beautiful design, and I really hope it will stand the test of time. But in my opinion it seems not yet well enough understood to put all eggs into one basket, in particular when a hybrid mode is not much more expensive. Most importantly, do you see how your example from above is actually another example why a hybrid mode is preferable? In your example, the hybrid scheme is only broken after a CRQC exists. For ML-KEM-only, it is game-over immediately after the flaw that you described is discovered , which seems much worse to me. Yours sincerely, Tibor
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
