John Mattsson <[email protected]> writes: > With well-designed composite KEMs, you can indeed obtain the best of > both worlds, i.e., security corresponding to Max(PQ, T). However, the > "T" component of PQ/T should soon no longer be considered to provide > meaningful security, particularly for key exchange. In that case, the > effective security becomes Max(PQ, 0), which is simply PQ.
The above argument is often repeated, but I think there are naunces that get lost when phrased like that. Security is rarely binary either or, but more of a spectrum. All ECDSA keys in the world won't automatically be revealed on the first day a CRQC is demonstrated. People still run RSA 1024 deployments (e.g., DNSSEC) , and will continue to do so even after 2029. In their threat model the crypto risk is not the biggest problem, and RSA-1024 provides >0 security and is not the weakest link. We won't have sufficient confidence in practical real-world uses of ML-KEM-512 or ML-DSA-44 until say 5-10 years after initial deployments, which is only starting now. Throwing away all >0 traditional security which non-hybrids would offer is a HNDL/MITM risk. /Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
