On Sun, May 24, 2026 at 04:10:07AM +1000, Viktor Dukhovni wrote: > On Sat, May 23, 2026 at 03:58:02PM -0000, D. J. Bernstein wrote: > > First, risk comparison has to look at not just probability but impact. > > For example: https://arxiv.org/abs/2603.28846 shows that a plausible > > model of a not-many-years-from-now quantum computer will be able to > > break about 2^15 ECC keys per year. That's very bad for those keys, > > times the number of quantum computers that the attacker can afford at > > that point, but it's still far smaller than the number of PQ keys that > > one would expect to be broken via a single PQ software bug.
Not just software, if you think that the PQC has as-yet-unknown cryptanalysis. > Perhaps I've been skimming all the wrong posts, but finally I'm looking > at a tangible argument rather than litigation of process or motivations, > in which you do in fact assign more weight to the risk of near-term > PQ-compromise and less to the import of near-term ECC obsolescence than > my strawman hypothetical "NSA" posture. The above is more of the same "I don't trust the PQC, hybrids for the win" argument. I don't see a qualitative or quantitative difference. But also it's never too late (well...) to make a new argument of the sort. > Where we part ways is on whether it makes sense to vehemently oppose > publication of the PQ-only algorithms. Your case for hybrids will > convince those who are prepared to be convinced, and if positioned > less stridently perhaps even some who are on the fence. But I don't > see the strategy so far as likely to win broad support. +1 > The below is reasonable material to include in an argument that hybrids > are prudent, and to publish a document advocating their use. FWIW, my > advice is to build that case, rather than to fight a conspiracy. > Perhaps it is too late switch tactics, or my instinct is way off, your > choice of course, good luck. Sadly I think you're right. My advice is to start by dropping or at least editing that disclaimer to not do the thing that is getting his posts moderated and his appeals ignored. IMO hybrids are best, even for signatures. IMO we should look at the danger of MITMs as of similar danger as that of HNDL. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
