On Thu, Jul 9, 2026 at 12:43 AM Blumenthal, Uri - 0553 - MITLL < [email protected]> wrote:
> > Well, if Dr. Avanzi isn’t confident enough in his design, what can I say, > except that perhaps he should’ve worked harder back then? > I think you may have misunderstood his point > However, repeating the argument that people appear to keep forgetting or > ignoring: > > - For data that does *not* need to remain secure beyond CRQC, adding > ECC is great. There are costs, but who cares. > > There are operational costs, there are computational costs, and there are security risks due to complexity. I think that communication-wise or computation-wise, the evidence suggests that the costs are not that big. Security risks (e.g., deployment, code) are indeed worrying me, but for me the algorithmic security lose is bigger. > So, for data with “prolonged” sensitivity, if Dr. Avanzi didn’t design > ML-KEM well enough — that data is dead, regardless of whether ECC is bolted > on or not. > I don't think you understood his point, so, I may suggest my interpretation of his point - as long as lattices are secure, ML-KEM is secure. However, it seems that there might be surprises in the sense that classical algorithms may be developed to solve the problem, and _even_ the designer of ML-KEM is worried that this is a possibility. Now you can ridicule Dr. Avanzi (or any other designer, or urge NIST to retract their selection, or even urge people to stop using QARMA, yet another design by Dr. Avanzi), but I believe that his statement can be summarized as ECDH+ML-KEM - good. ML-KEM alone - not good yet (but will become good as we gain more experience with lattices/ML-KEM). Again, you are entitled to your opinion, but in this case, I have strong reasons to believe you are wrong (feel free to reach out to him, he is certainly not a troll nor crypto wanna-be.). Cheers,
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
