On 27-May-26 03:22, Blumenthal, Uri - 0553 - MITLL wrote:
>> That depends on relative difficulty of breaking algorithms. If quantum >> attack against first algorithm is much cheaper than attacking the second >> algorithm, then the second algorithm is the bottleneck and adding the >> first to composite does not improve security. > > Last time I checked, 1000+1 > 1000, which is all I was asserting. If I’d > asserted "breaking two algorithms is always *significantly* harder than > breaking one algorithm", I would have been wrong. You keep ignoring or forgetting that the above “+1” is not free, so one has to evaluate the cost/trouble of adding that “1” against the benefits it’s going to add.
That's a different argument. I completely agree that the final decision about what algorithm(s) to implement or deploy needs such a cost/benefit analysis.
For example, nobody argues that if we super-encrypt AES ciphertext with , e.g., ARIA — we’ll increase the overall security. But, for reasons quite obvious, nobody seems willing to add that “+1” to the “1000” that AES already provided.
Fair enough. But I have been led to understand that hybrid algorithms are very significantly harder to break than either conventional or PQ algorithms, and only somewhat more expensive to deploy. Brian _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
