On Mon, Nov 24, 2025 at 7:14 AM Simon Josefsson <simon= [email protected]> wrote:
> We are having trouble getting safe hybrid PQ solutions published. Until > we have a couple of widely deployed hybrid PQ KEMs published, > implemented and deployed, I don't think we should fragment the already > thin resources we have to reach that goal by spending further cycles on, > and then publish a fragile solutions like this. Please prioritize a > non-NIST/MLKEM hybrid PQ KEM for TLS. FrodoKEM? Streamlined NTRU > Prime? We need more hybrid PQ options. > Why? The general deployed pattern in TLS is to have a small number of dominant algorithms and we already have X25519+MLKEM widely deployed. Given that any particular connection can only be protected with a single algorithm, it's not clear to me how the world is improved by having multiple algorithms with roughly the same performance properties. I could see some argument for having some algorithm with significantly different performance/security tradeoff (though as I understand it there are some practical challenges to adding Classic McEliece), but that doesn't seem to be what you're suggesting here. More generally I am opposed to the IETF publishing any algorithm specification for TLS which has not been externally vetted. That could mean standardized elsewhere or sign-off by CFRG, but the TLS WG should not just be picking up algorithms without external review and adding them to TLS. -Ekr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
