>> So, for data with “prolonged” sensitivity, if Dr. Avanzi didn’t design ML-KEM well >> enough — that data is dead, regardless of whether ECC is bolted on or not. > > I don't think you understood his point
I think we all guilty of not understanding each other’s points — see below. > so, I may suggest my interpretation of his point - as long as lattices are > secure, > ML-KEM is secure. However, it seems that there might be surprises in the sense > that classical algorithms may be developed to solve the problem, and _even_ > the designer of ML-KEM is worried that this is a possibility. Of course, that’s obvious. However, this has nothing to do with the point I’ve been making — and which, apparently, keeps falling on a deaf ear: If ML-KEM does fail — does not matter why (bad ML-KEM design, all lattices get broken, only Modules, etc.) — whatever sensitive data is protected by ML-KEM today or in the near future, will fail with ML-KEM. TL;DR: if your data needs to outlive CRQC, ECC does not help. > I have strong reasons to believe you are wrong . . . In what? Please explain which one(s) of the above statement(s) is(are) wrong.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
