*   As others also commented before, what is so special about PQC here?

I believe the draft makes that issue clear.

There is a rather special case where some entity develops a CRQC without anyone 
knowing about it

and can thus surreptitiously break non-PQ DSA and forge certificates.



I guess this is not too different from having a secret classical algorithm that 
breaks ECDSA,

but (as hybrid enthusiasts suggest) people are less skeptical of the former 
than the latter



Y(J)S

This message is intended only for the designated recipient(s). It may contain 
confidential or proprietary information. If you are not the designated 
recipient, you may not review, copy or distribute this message. If you have 
mistakenly received this message, please notify the sender by a reply e-mail 
and delete this message. Thank you.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to