Uri,

I think you missed my point.

The statement made was

  1.  hybrid is LESS secure (so pure ML-KEM should be used)
  2.  he doesn’t support publishing pure ML-KEM (so hybrid should be used).

I was just a bit confused about how these two statements are to be reconciled.

Y(J)S

From: Blumenthal, Uri - 0553 - MITLL <[email protected]>
Sent: Monday, June 29, 2026 6:52 PM
To: Yaakov Stein <[email protected]>; [email protected]
Subject: Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

>> * For the time being, hybrid cryptography appears clearly less secure than 
>> solo post-quantum cryptography
>>  I do not support the publication of this document.
 >
> Less secure but should be used ?

Hybrid will always be less secure, if (a) you agree that CRQC is coming, and 
(b) your data will remain sensitive through that time.

Therefore, IMHO it should not be used — but unlike some others on this list, I 
want those who have reasons to use Hybrid, to be able to do so, without having 
to convince me that they truly really want/need it.
This message is intended only for the designated recipient(s). It may contain 
confidential or proprietary information. If you are not the designated 
recipient, you may not review, copy or distribute this message. If you have 
mistakenly received this message, please notify the sender by a reply e-mail 
and delete this message. Thank you.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to