Hi Loganaden,
> Op 3 mrt 2026, om 05:35 heeft Loganaden Velvindron <[email protected]> het
> volgende geschreven:
>
> Alternatively, if NIST could support hybrids officially, a lot of the
> current issues would go away ?
NIST don’t mind hybrids. It’s SDOs in e.g. Canada and the UK that are sending
strong messaging that “double” migrations are potentially very costly and
risky, and thus urge people to consider a direct-to-pure-PQ migration. There
is also one particular set of purchasing requirements for US National Security
systems (CNSA) that mandates pure PQC [1], where my impression [2] is strongly
that this is not just to avoid “double migration” but perhaps even more so to
simply reduce the number of algorithms they need to keep track of.
People who mind hybrids mostly appear to do so for “soft” reasons rather than
“hard” technical reasons. Arguing how practical/fast/small hybrids are, and
that they shouldn’t mind them, isn’t really a convincing argument for them.
Regards,
Thom
[1] CNSA 2.0 has one exception for when hybrids are absolutely necessary for
compatibility reasons: my understanding is that this caveat exists basically
just for IKEv2.
[2] Clearly I’m not an American nor do I work for the NSA, so I can’t speak for
them
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
