The argument "hybrid will always be less secure" is incorrect, and the
reason is the defining property of any secure KEM combiner.
This secure KEM combiner for example: https://eprint.iacr.org/2018/024

On Mon, Jun 29, 2026 at 5:53 PM Blumenthal, Uri - 0553 - MITLL
<[email protected]> wrote:
>
> >> * For the time being, hybrid cryptography appears clearly less secure than 
> >> solo post-quantum cryptography
>
> >>  I do not support the publication of this document.
>
>  >
>
> > Less secure but should be used ?
>
>
> Hybrid will always be less secure, if (a) you agree that CRQC is coming, and 
> (b) your data will remain sensitive through that time.
>
>
> Therefore, IMHO it should not be used — but unlike some others on this list, 
> I want those who have reasons to use Hybrid, to be able to do so, without 
> having to convince me that they truly really want/need it.
>
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to