Hi all, I support both pure-ML-KEM and hybrid ML-KEM. My goal is to get users to migrate to PQC as much as possible and as fast as possible.
After CRQC arrives, users of hybrid ML-KEM will have 2 choices: 1) Keep running it (don't mind the classical part's wasteful resources consumptions for years or forever) or 2) do another migration to pure PQC. If one uses hybrid ML-KEM and the migration to pure PQC is just updating the browsers in 2 laptops and a phone and if this person works in a cyber security field (possibly a lattice-based crypto researcher somewhere), it is reasonable to me if this person openly voices support for the hybrid option and optionally try to stop others from using the pure option; this person might think that the hybrid has less security risks over all (I don't make a judgement call here about which type of implementations have more risks) and/or this person might want to be seen/known as being conservative in security publicly. Theoretically, the hybrid option has an advantage over the pure if ML-KEM is broken but the classical part is still secure before CRQC arrives and the data do not need to be protected after the CRQC's arrival. For big organizations where a migration is costly and they believe that CRQC's arrival is not far away, I understand why they think hard about going with hybrid or pure PQC and it is reasonable to me if they decide to go with pure pqc. Regards, Quynh. PS: If you have questions for me, likely I won't answer them. > >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
