Hi all,

I support both pure-ML-KEM and hybrid ML-KEM. My goal is to get users to
migrate to PQC as much as possible and as fast as possible.

After CRQC arrives, users of hybrid ML-KEM will have 2 choices: 1) Keep
running it (don't mind the classical part's wasteful resources consumptions
for years or forever)  or 2) do another migration to pure PQC.

If one uses hybrid ML-KEM and the migration to pure PQC is just updating
the browsers in 2 laptops and a phone and if this person works in a cyber
security field (possibly a lattice-based crypto researcher somewhere), it
is reasonable to me if this person openly voices support for the hybrid
option and optionally try to stop others from using the pure option; this
person might think that the hybrid has less security risks over all (I
don't make a judgement call here about which type of implementations have
more risks) and/or this person might want to be seen/known as being
conservative in security publicly.

Theoretically, the hybrid option has an advantage over the pure if ML-KEM
is broken but the classical part is still secure before CRQC arrives and
the data do not need to be protected after the CRQC's arrival.

For big organizations where a migration is costly and they believe that
CRQC's arrival is not far away, I understand why they think hard about
going with hybrid or pure PQC and it is reasonable to me if they decide to
go with pure pqc.

Regards,
Quynh.
PS: If you have questions for me, likely I won't answer them.

>
>
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to