>> So, for data with “prolonged” sensitivity, if Dr. Avanzi didn’t design 
ML-KEM well
>> enough — that data is dead, regardless of whether ECC is bolted on or not.
>
> I don't think you understood his point


I think we all guilty of not understanding each other’s points — see below.


> so, I may suggest my interpretation of his point - as long as lattices are 
> secure,
> ML-KEM is secure. However, it seems that there might be surprises in the sense
> that classical algorithms may be developed to solve the problem, and _even_ 
> the designer of ML-KEM is worried that this is a possibility.


Of course, that’s obvious. However, this has nothing to do with the point I’ve 
been making — and which, apparently, keeps falling on a deaf ear: 


If ML-KEM does fail — does not matter why (bad ML-KEM design, all lattices get 
broken, only Modules, etc.) — whatever sensitive data is protected by ML-KEM 
today or in the near future, will fail with ML-KEM. 


TL;DR: if your data needs to outlive CRQC, ECC does not help.


> I have strong reasons to believe you are wrong . . .


In what? 


Please explain which one(s) of the above statement(s) is(are) wrong.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to