Thanks Rich for the proposal. Some comments and revised proposal below:
On 10.04.26 17:10, Salz, Rich wrote:
In deployments where the size and computation cost of deploying a hybrid is negligible or otherwise not a concern,
This qualifier is actually not required for the security hypothesis.
a PQ/T hybrid is more secure as the traditional algorithms have had more analysis than their post-quantum counterparts.It's not just about the analysis. It's because of compositional security argument.
In this case, developers SHOULD strongly consider if a PQ/T hybrid meets their needs.
--- # Revised ProposalBecause of compositional security, a PQ/T hybrid is at least as secure as the standalone post-quantumcounterparts and traditional algorithms. Moreover, PQ/T hybridshave received significantly more analysis and deployment experience than the standalone post-quantumcounterparts. Hence, developers SHOULD prefer PQ/T hybrid over standalone post-quantumcounterparts, whenever possible, such as where the size and computation cost of deploying a hybrid is negligible or otherwise not a concern. If developers choose to use post-quantumcounterparts, they SHOULD understand the following risks: <list of risks>
Best, -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
