The security analysis of post-quantum crypto is far less mature than the security analysis of ECC was when the Internet moved to ECC:
* 48% of the 69 round-1 submissions to the NIST post-quantum competition in 2017 have been broken by now. * 25% of the 48 submissions unbroken during round 1 have been broken by now. * 36% of the 28 submissions _selected by NIST in 2019 for round 2_ have been broken by now. See https://cr.yp.to/papers.html#qrcsp for the data, and slide 11 of https://cr.yp.to/talks.html#2024.01.11 for a graph showing when the breaks were published. We have to try to protect users against quantum computers. This means rolling out post-quantum crypto asap. But we also need a simple rule of always using hybrids in case the post-quantum crypto fails. This rule has been followed by every major post-quantum deployment so far, has played an important role in _encouraging_ post-quantum deployment, and meant that the break of SIKE didn't turn into an immediate break of real user data that Google and Cloudflare had encrypted with CECPQ2. NSA and GCHQ have been arguing to the contrary. Their arguments don't hold up to examination; see https://blog.cr.yp.to/20240102-hybrid.html. But the arguments are still sitting there, and NSA's market influence cannot be ignored. I would treat non-hybrid drafts in IETF the same way as "export" options in code: they're security risks. I would encourage explicit withdrawal of any such drafts. ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls