The argument "hybrid will always be less secure" is incorrect, and the reason is the defining property of any secure KEM combiner. This secure KEM combiner for example: https://eprint.iacr.org/2018/024
On Mon, Jun 29, 2026 at 5:53 PM Blumenthal, Uri - 0553 - MITLL <[email protected]> wrote: > > >> * For the time being, hybrid cryptography appears clearly less secure than > >> solo post-quantum cryptography > > >> I do not support the publication of this document. > > > > > > Less secure but should be used ? > > > Hybrid will always be less secure, if (a) you agree that CRQC is coming, and > (b) your data will remain sensitive through that time. > > > Therefore, IMHO it should not be used — but unlike some others on this list, > I want those who have reasons to use Hybrid, to be able to do so, without > having to convince me that they truly really want/need it. > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
