Hi Viktor, On 06.04.26 15:35, Viktor Dukhovni wrote:
This is comparing small apples and big apples whereas the comparison under discussion is "apples concatenated with oranges" vs. "oranges only".On Mon, Apr 06, 2026 at 03:11:23PM +0200, Muhammad Usama Sardar wrote:Also, as a counter-argument to my position, can someone kindly show me that pure ML-KEM is /more/ secure than hybrid in the context of TLS protocol? Thank you.65536-bit RSA is "more secure" than 2048-bit RSA, is that a compelling argument to never use 2048-bit RSA, and always use 65536-bit RSA?
Any choice of cryptographic parameters is ultimately a tradeoff. Admittedly, in this case hybrids mitigate additional risks without being unduly impractical, but not everyone sees those risks in quite the same light. I agree that hybrids are prudent, and would like to see that point clearly stated in the pure ML-KEM draft,
Sure, hence my request [0]. Thanks for support.
but I very much don't think standing in the way publication is sensible.
Already clarified to sufficient detail in [1], so needless to repeat. Best regards, -Usama [0] https://mailarchive.ietf.org/arch/msg/tls/oiVmp3PCo9H6aiugPQ8aVFztvVg/ [1] https://mailarchive.ietf.org/arch/msg/tls/q4nNjdrGrJv-4s1JYVHz41WJ2Go/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
