Brian E Carpenter wrote: >Lat time I checked, 1000+1 > 1000, which is all I was asserting.
Hybridization is not simple addition, it is more like A XOR B... Brian E Carpenter wrote: >And to get back to the topic at hand, I have developed the opinion that >we need a document written by some experts that lays out objectively >the difference between conventional, PQ, and hybrid approaches in terms >that non-cryptologists can understand. With that in hand we can publish >documents like the one in question with a 'caveat emptor' reference. A 'caveat emptor' reference would be even more needed for new documents with standalone quantum-vulnerable cryptography https://datatracker.ietf.org/doc/draft-ietf-jose-hpke-encrypt/ Especially if the new standalone quantum-vulnerable cryptography is exotic https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-proof/ Cheers, John Preuß Mattsson From: Brian E Carpenter <[email protected]> Date: Tuesday, 26 May 2026 at 09:44 To: Ilari Liusvaara <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]> Subject: [TLS] Re: [Last-Call] <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC On 26-May-26 19:10, Ilari Liusvaara wrote: > On Tue, May 26, 2026 at 11:23:48AM +1200, Brian E Carpenter wrote: >> >> Assuming that means "breaking two algorithms is always harder than >> breaking one algorithm", that is very hard to argue against, from >> my point of view as a crypto ignoramus. > > That depends on relative difficulty of breaking algorithms. If quantum > attack against first algorithm is much cheaper than attacking the second > algorithm, then the second algorithm is the bottleneck and adding the > first to composite does not improve security. Lat time I checked, 1000+1 > 1000, which is all I was asserting. If I'd asserted "breaking two algorithms is always *significantly* harder than breaking one algorithm", I would have been wrong. And to get back to the topic at hand, I have developed the opinion that we need a document written by some experts that lays out objectively the difference between conventional, PQ, and hybrid approaches in terms that non-cryptologists can understand. With that in hand we can publish documents like the one in question with a 'caveat emptor' reference. Brian _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
