On 26-May-26 19:10, Ilari Liusvaara wrote:
On Tue, May 26, 2026 at 11:23:48AM +1200, Brian E Carpenter wrote:
Assuming that means "breaking two algorithms is always harder than
breaking one algorithm", that is very hard to argue against, from
my point of view as a crypto ignoramus.
That depends on relative difficulty of breaking algorithms. If quantum
attack against first algorithm is much cheaper than attacking the second
algorithm, then the second algorithm is the bottleneck and adding the
first to composite does not improve security.
Lat time I checked, 1000+1 > 1000, which is all I was asserting. If I'd
asserted "breaking two algorithms is always *significantly* harder than
breaking one algorithm", I would have been wrong.
And to get back to the topic at hand, I have developed the opinion that
we need a document written by some experts that lays out objectively
the difference between conventional, PQ, and hybrid approaches in terms
that non-cryptologists can understand. With that in hand we can publish
documents like the one in question with a 'caveat emptor' reference.
Brian
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
