* NIST don't mind hybrids. True, but my impression from past conversations with NIST (as well as multiple regulators around the world, albeit with some exceptions) is that they see hybrids (and composites) as a temporary/transitional solution at best, with the goal of getting to pure PQC.
* There is also one particular set of purchasing requirements for US National Security systems (CNSA) that mandates pure PQC [1], where my impression [2] is strongly that this is not just to avoid "double migration" but perhaps even more so to simply reduce the number of algorithms they need to keep track of. Without speculating about CNSA's motivation, it is true that if CNSA TLS profile (https://datatracker.ietf.org/doc/draft-becker-cnsa2-tls-profile/) were updated to add hybrid groups, there would be less immediate interest from MSFT side in advancing draft-ietf-tls-mlkem. Cheers, Andrei From: Thom Wiggers <[email protected]> Sent: Tuesday, March 3, 2026 12:28 AM To: Loganaden Velvindron <[email protected]> Cc: <[email protected]> <[email protected]> Subject: [EXTERNAL] [TLS] Re: Proposed Text on hybrid vs non-hybrid | Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27) Hi Loganaden, Op 3 mrt 2026, om 05:35 heeft Loganaden Velvindron <[email protected]<mailto:[email protected]>> het volgende geschreven: Alternatively, if NIST could support hybrids officially, a lot of the current issues would go away ? NIST don't mind hybrids. It's SDOs in e.g. Canada and the UK that are sending strong messaging that "double" migrations are potentially very costly and risky, and thus urge people to consider a direct-to-pure-PQ migration. There is also one particular set of purchasing requirements for US National Security systems (CNSA) that mandates pure PQC [1], where my impression [2] is strongly that this is not just to avoid "double migration" but perhaps even more so to simply reduce the number of algorithms they need to keep track of. People who mind hybrids mostly appear to do so for "soft" reasons rather than "hard" technical reasons. Arguing how practical/fast/small hybrids are, and that they shouldn't mind them, isn't really a convincing argument for them. Regards, Thom [1] CNSA 2.0 has one exception for when hybrids are absolutely necessary for compatibility reasons: my understanding is that this caveat exists basically just for IKEv2. [2] Clearly I'm not an American nor do I work for the NSA, so I can't speak for them
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
