Andrey Jivsov writes: > Does this point apply in your opinion to hash-based signatures?
Yes. Here's a comment I made about this topic in CFRG a few weeks ago: "I've sometimes run into people surprised that I recommend _always_ using hybrids rather than making exceptions for McEliece and SPHINCS+. This is easy to answer: When a defense is simple and easily affordable, why make exceptions? Many reviewers aren't familiar with post-quantum cryptography; why give them excuses to delay deployment? Also, if some random McEliece implementation has a devastating bug, is blaming the programmer really the right answer?" ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
