On Wed, Jul 08, 2026 at 11:27:26PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > Of course, that’s obvious. However, this has nothing to do with the point > I’ve been making — and which, apparently, keeps falling on a deaf ear: > If ML-KEM does fail — does not matter why (bad ML-KEM design, all lattices > get broken, only Modules, etc.) — whatever sensitive data is protected by > ML-KEM today or in the near future, will fail with ML-KEM. > TL;DR: if your data needs to outlive CRQC, ECC does not help. > > I have strong reasons to believe you are wrong . . . > In what? > Please explain which one(s) of the above statement(s) is(are) wrong.
"whatever sensitive data is protected by ML-KEM today or in the near future, will fail with ML-KEM" is only true in a world when a CRQC ever exists, and is trivially wrong otherwise. Your TL;DR includes that factor but the preceding statement does not. It's clear that you are confident that a CRQC will eventually exist, but based solely on public data that is not guaranteed. And while what counts as "sensitive data" for you may need to remain confidential for decades, that is not true for everyone's sensitive data; if the relevant timeframe is just a few years after which loss of confidentiality is not a big deal, then the tradeoffs and cost/benefit analysis can easily reach a different conclusion. -Ben _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
