I keep hearing this “there are communities that want pure PQ”, but I’ve yet to hear a compelling reason for this that doesn’t involve embedded devices where code size is a constraint (mentioned in passing in the latest draft). If we’re going back to the days of ‘customer knows best’ in regards to deciding which ciphersuites are secure, then Camellia and ARIA ought to come back, and Simon, Speck, and ChaCha8 ought to be introduced.
While I respect the contents of the draft as probably secure, I think we need to acknowledge the duplication and unnecessary risk we are introducing alongside the universally respected hybrid suites. Is there a customer that can provide a compelling reason as to why a hybrid construction degrades the security of their product? Is there any compelling reason at all against hybridization? Andrei states: > Private sector SW vendors need to comply with government rulemaking, at least if they hope to sell products and services to the government. Also, certain private sector organizations tend to adopt government guidelines for their own operations. If the TLS WG standardized every government guideline in order to enable private sector vendors, then there would be far too much noise. McEliece, HQC, SLH-DSA, LMS, FrodoKEM, NTRU… The purpose of TLS 1.3 is to choose a small selection of the most conservative ciphersuites for long-term confidentiality. Introducing standalone ML-KEM alongside the currently deployed hybrids goes against that principle. Additionally, I’d like to point out a compelling case against adopting NIST requirements without further scrutiny: Dual-EC-DRBG. Anyone with a pair of eyes could see that the lack of truncation and the use of constant curve points rather than a Hash-To-Curve algorithm (or even hashing to a point, as is the case with NIST curves) indicated that someone knew the discrete logarithm of P to Q. It could only have been implemented by Microsoft, RSA, Cisco, and other large companies because there was no scrutiny. I find it particularly disheartening to see—once again—a lack of scrutiny towards the selection of secure defaults for worldwide adoption. I do not support publication of this document. Best, Josh. -------- Original Message -------- On Thursday, 02/12/26 at 14:47 Salz, Rich <[email protected]> wrote: > The draft has “Recommended N.” There are communities that want pure-PQ, even > if this WG thinks it’s not the best thing to do. > > I support publication.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
