Hi, I’m opposed to the publication of this document. We can’t trust ML-KEM to stand on its own against classical attacks yet. The hybrid approach is more secure and worth the 3% cost during key exchange.
After Q-Day, hybrids are still more secure for a while. Because if an actor breaks the post quantum part, he may not have access to the quantum hardware that breaks the classical part yet. We should drop ECDHE only when quantum computers are ubiquitous. Michael Gouin _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
