I do not support publishing this document.

The costs of using PQ+ECC are known and minimal, while providing significant
"belt and braces" backup security practices if the PQ primitive fails.  This
document advocates removing that backup for no clear benefit and significant
additional risk.  Given the chances that the PQ specification and
implementation are both not subject to future successful attacks are
approximately zero, I see no reason to recommend anyone implement PQ without
an ECC backup.

Charles
-- 
------------------------------------------------------------------
Charles Cazabon                     <[email protected]>
Software, consulting, and services available at http://pyropus.ca/
------------------------------------------------------------------

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to