On Thu, Jul 9, 2026 at 12:43 AM Blumenthal, Uri - 0553 - MITLL <
[email protected]> wrote:

>
> Well, if Dr. Avanzi isn’t confident enough in his design, what can I say,
> except that perhaps he should’ve worked harder back then?
>

I think you may have misunderstood his point


> However, repeating the argument that people appear to keep forgetting or
> ignoring:
>
>    - For data that does *not* need to remain secure beyond CRQC, adding
>    ECC is great. There are costs, but who cares.
>
>
There are operational costs, there are computational costs, and there are
security risks due to complexity. I think that communication-wise or
computation-wise, the evidence suggests that the costs are not that big.
Security risks (e.g., deployment, code) are indeed worrying me, but for me
the algorithmic security lose is bigger.


> So, for data with “prolonged” sensitivity, if Dr. Avanzi didn’t design
> ML-KEM well enough — that data is dead, regardless of whether ECC is bolted
> on or not.
>

I don't think you understood his point, so, I may suggest my
interpretation of his point - as long as lattices are secure, ML-KEM is
secure. However, it seems that there might be surprises in the sense that
classical algorithms may be developed to solve the problem, and _even_ the
designer of ML-KEM is worried that this is a possibility.

Now you can ridicule Dr. Avanzi (or any other designer, or urge NIST to
retract their selection, or even urge people to stop using QARMA, yet
another design by Dr. Avanzi), but I believe that his statement can be
summarized as ECDH+ML-KEM - good. ML-KEM alone - not good yet (but will
become good as we gain more experience with lattices/ML-KEM).

Again, you are entitled to your opinion, but in this case, I have strong
reasons to believe you are wrong (feel free to reach out to him, he is
certainly not a troll nor crypto wanna-be.).

Cheers,
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to