On Wed, Jul 08, 2026 at 11:27:26PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
>    Of course, that’s obvious. However, this has nothing to do with the point
>    I’ve been making — and which, apparently, keeps falling on a deaf ear: 
>    If ML-KEM does fail — does not matter why (bad ML-KEM design, all lattices
>    get broken, only Modules, etc.) — whatever sensitive data is protected by
>    ML-KEM today or in the near future, will fail with ML-KEM. 
>    TL;DR: if your data needs to outlive CRQC, ECC does not help.
>    > I have strong reasons to believe you are wrong . . .
>    In what? 
>    Please explain which one(s) of the above statement(s) is(are) wrong.

"whatever sensitive data is protected by ML-KEM today or in the near future,
will fail with ML-KEM" is only true in a world when a CRQC ever exists, and is
trivially wrong otherwise.  Your TL;DR includes that factor but the preceding
statement does not.

It's clear that you are confident that a CRQC will eventually exist, but based
solely on public data that is not guaranteed.  And while what counts as
"sensitive data" for you may need to remain confidential for decades, that is
not true for everyone's sensitive data; if the relevant timeframe is just a few
years after which loss of confidentiality is not a big deal, then the tradeoffs
and cost/benefit analysis can easily reach a different conclusion.

-Ben

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to