I do not support publishing this document. The costs of using PQ+ECC are known and minimal, while providing significant "belt and braces" backup security practices if the PQ primitive fails. This document advocates removing that backup for no clear benefit and significant additional risk. Given the chances that the PQ specification and implementation are both not subject to future successful attacks are approximately zero, I see no reason to recommend anyone implement PQ without an ECC backup.
Charles -- ------------------------------------------------------------------ Charles Cazabon <[email protected]> Software, consulting, and services available at http://pyropus.ca/ ------------------------------------------------------------------ _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
