Nadim Kobeissi <[email protected]> writes: > Signature schemes do not have the same compromise profile as key > agreement schemes (I wrote about this [1]). ... > [1] https://symbolic.software/blog/2026-04-13-hybrid-constructions/
"Soatokās central observation is one that deserves wider uptake: the harvest-now-decrypt-later (HNDL) threat that motivates hybrid KEMs has no analogue for signatures." Repeating that statement doesn't make it true. The analog motivation for doing PQ hybrids is Man-In-The-Middle attacks. If your non-hybrid PQ signature has a weakness (e.g., implementation bug), it facilitate man-in-the-middle's. There were times when man-in-the-middle's were as common as harvest-now-decrypt-later are today. I believe that MITM's are generally worse than HNDL attacks. Adding a pre-PQ signature in hybrid with new PQ systems is low cost compared to the risks. We did that for PQ key agreement based on the HNDL argument. We should do the same for PQ authentication with the MITM argument. /Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
