On 06.04.26 23:24, Nico Williams wrote:
On Mon, Apr 06, 2026 at 09:38:55PM +0200, Muhammad Usama Sardar wrote:It deeply surprises me that IEEE is starting off its PQC transition with non-hybrids rather than hybrids. If they have done no analysis, we should tell them the risks and that hybrids are currently preferable. That's why I keep emphasizing that we should first recommend hybrids and that risks should be thoroughly mentioned in pure ML-KEM draft, if we are to publish it.Their trade-offs might be different to ours. Perhas they think that security in-depth means you'll use TLS at the application layer, with hybrids, and so if you use PQ-only at the network layer, in the worst case scenario you're still protected by the use of hybrids at the application layer.
Well, this double TLS is really shooting on the foot the only somewhat reasonable argument I've seen for non-hybrid so far: efficiency!
Best, -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
