It would probably be useful to be clearer about what "very significantly harder" means.
One likely outcome [0] is that breaking a hybrid algorithm is roughly as hard as the sum of independently breaking each component of the hybrid. As others have observed, that is also sometimes true of the hybrid of two non-PQ algorithms, and yet our RFCs don't have warnings about using non-PQ algorithms in standalone modes. -Ekr [0] Though by far not the only one, in part because the term "breaking" is so vague. On Tue, May 26, 2026 at 2:39 PM Deirdre Connolly <[email protected]> wrote: > > I have been led to understand that hybrid algorithms are very > significantly harder to break than either conventional or PQ algorithms > > From where? > > On Tue, May 26, 2026, 4:34 PM Brian E Carpenter < > [email protected]> wrote: > >> On 27-May-26 03:22, Blumenthal, Uri - 0553 - MITLL wrote: >> > >> > >> That depends on relative difficulty of breaking algorithms. If >> quantum >> > >> attack against first algorithm is much cheaper than attacking the >> second >> > >> algorithm, then the second algorithm is the bottleneck and adding >> the >> > >> first to composite does not improve security. >> > > >> > > Last time I checked, 1000+1 > 1000, which is all I was asserting. If >> I’d >> > > asserted "breaking two algorithms is always *significantly* harder >> than >> > > breaking one algorithm", I would have been wrong. >> > >> > You keep ignoring or forgetting that the above “+1” is not free, so one >> has to evaluate the cost/trouble of adding that “1” against the benefits >> it’s going to add. >> >> That's a different argument. I completely agree that the final decision >> about what algorithm(s) to implement or deploy needs such a cost/benefit >> analysis. >> >> > >> > For example, nobody argues that if we super-encrypt AES ciphertext with >> , e.g., ARIA — we’ll increase the overall security. But, for reasons quite >> obvious, nobody seems willing to add that “+1” to the “1000” that AES >> already provided. >> >> Fair enough. But I have been led to understand that hybrid algorithms are >> very significantly harder to break than either conventional or PQ >> algorithms, and only somewhat more expensive to deploy. >> >> Brian >> _______________________________________________ >> TLS mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
