> > More importantly, in my perspective, advocating hybrids is neither a > criticism of ML-DSA, nor an application of double standards. But it is a > matter of risk management. We are considering introducing algorithms > based on comparatively new hardness assumptions into the most important > cryptographic protocol on the Internet. There is nothing wrong with > optimism, but in this context one may also argue that a more cautious > approach is warranted. Better safe than sorry. >
In a vacuum hybrids are obviously better. The reality is that we haven't converged on *which* hybrid for signatures in the ecosystems I'm aware of. We can't expect every server to install certificates for all 18 variants of lamps-pq-composite-sigs, nor the six variants of its not-so-short short list. You frame *insisting* on PQ/T hybrids is the most conservative approach generally, where as it is in fact a bet most consistent with the view that quantum attack will not materialize.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
