Dear all, +1 on Tibor’s thoughts below. Best regards Christoph > On Fri, Feb 27, 2026, at 11:19 PM, Tibor Jager wrote: >>>> Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>: >>> - There does not seem to be any evidence that ML-KEM is weak. I think >>> that if ML-KEM gets badly broken, it will be for unforeseeable reasons >>> (which is a risk for any cryptographic algorithm, including prime- >>> field ECC). >> >> Except that for a hybrid mode, both ML-KEM and ECC must be broken >> simultaneously. >> >> I think it is unwise to rely *only* on ML-KEM (or any other scheme >> based on relatively new hardness assumptions), and currently do not >> support any draft that does not use hybrid cryptography. In particular >> when the use of hybrid crypto comes with negligible overhead, as for >> ML-KEM + ECC. >> >> For almost every broken cryptosystem there was a time when there seemed >> to be no evidence that it is weak. ML-KEM still needs to stand the test >> of time. >> >> Best regards, >> Tibor
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
