On Mon, Apr 06, 2026 at 03:11:23PM +0200, Muhammad Usama Sardar wrote:
> Also, as a counter-argument to my position, can someone kindly show me
> that pure ML-KEM is /more/ secure than hybrid in the context of TLS
> protocol? Thank you.
65536-bit RSA is "more secure" than 2048-bit RSA, is that a compelling
argument to never use 2048-bit RSA, and always use 65536-bit RSA?
Any choice of cryptographic parameters is ultimately a tradeoff.
Admittedly, in this case hybrids mitigate additional risks without being
unduly impractical, but not everyone sees those risks in quite the same
light. I agree that hybrids are prudent, and would like to see that
point clearly stated in the pure ML-KEM draft, but I very much don't
think standing in the way publication is sensible. Rather, I see it
as a counterproductive loss of opportunity to recommend due caution.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
