> I have been led to understand that hybrid algorithms are very significantly harder to break than either conventional or PQ algorithms
>From where? On Tue, May 26, 2026, 4:34 PM Brian E Carpenter <[email protected]> wrote: > On 27-May-26 03:22, Blumenthal, Uri - 0553 - MITLL wrote: > > > > >> That depends on relative difficulty of breaking algorithms. If > quantum > > >> attack against first algorithm is much cheaper than attacking the > second > > >> algorithm, then the second algorithm is the bottleneck and adding the > > >> first to composite does not improve security. > > > > > > Last time I checked, 1000+1 > 1000, which is all I was asserting. If > I’d > > > asserted "breaking two algorithms is always *significantly* harder > than > > > breaking one algorithm", I would have been wrong. > > > > You keep ignoring or forgetting that the above “+1” is not free, so one > has to evaluate the cost/trouble of adding that “1” against the benefits > it’s going to add. > > That's a different argument. I completely agree that the final decision > about what algorithm(s) to implement or deploy needs such a cost/benefit > analysis. > > > > > For example, nobody argues that if we super-encrypt AES ciphertext with > , e.g., ARIA — we’ll increase the overall security. But, for reasons quite > obvious, nobody seems willing to add that “+1” to the “1000” that AES > already provided. > > Fair enough. But I have been led to understand that hybrid algorithms are > very significantly harder to break than either conventional or PQ > algorithms, and only somewhat more expensive to deploy. > > Brian > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
