I think we should all agree that this choice, which has dominated much of the discussion for years, is one of the least impactful aspects of the transition.
The pros and cons between the two approaches are hard to decide precisely because the actual security difference is pretty small, and therefore the result you arrive at will depend strongly on your use case and assumptions. The consequences of fighting over the small differences, however, are real and substantial. -Tim ________________________________ From: Blumenthal, Uri - 0553 - MITLL <[email protected]> Sent: Monday, April 6, 2026 3:54 PM To: Muhammad Usama Sardar <[email protected]> Cc: [email protected] <[email protected]> Subject: [TLS] Re: [EXT] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem" It deeply surprises me that IEEE is starting off its PQC transition with non-hybrids rather than hybrids. If they have done no analysis, we should tell them the risks and that hybrids are currently preferable. That's why I keep emphasizing that we should first recommend hybrids and that risks should be thoroughly mentioned in pure ML-KEM draft, if we are to publish it. I want to assure you that people who prefer non-hybrids have done their analysis, not less rigorously than the proponents of the hybrid approach. Both groups are well-aware of their opponents’ arguments. The fact remains that these two groups disagree in their conclusions. For how much longer will the opponents of non-hybrid (because the other side has nothing against hybrids — they simply want the freedom to exercise other options, based on their educated conclusion) beat this dead horse?
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
