Hi,

I’m opposed to the publication of this document. We can’t trust ML-KEM to stand 
on its own against classical attacks yet. The hybrid approach is more secure 
and worth the 3% cost during key exchange.

After Q-Day, hybrids are still more secure for a while. Because if an actor 
breaks the post quantum part, he may not have access to the quantum hardware 
that breaks the classical part yet. We should drop ECDHE only when quantum 
computers are ubiquitous.

Michael Gouin
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to