Alicja Kario writes: > D. J. Bernstein wrote: > > Alicja Kario writes: > > > Auditor sees that P + Q system is more complex to implement and validate > > > than a simple Q system, therefore ML-DSA security > ML-DSA+Ed25519 > > > security. > > Therefore the deployment of CECPQ2b = ECC+SIKE should have been replaced > > with just SIKE? What's next, advocating the null cipher on the basis of > > how simple it is? > You are mixing up key exchange with authentication...
No, that difference is orthogonal to the security issues I'm describing. With ECC+PQ encryption, an attacker with a PQ break still has to break the ECC encryption. This makes ECC+PQ less risky than PQ for encryption. With ECC+PQ signatures, an attacker with a PQ break still has to break the ECC signatures. This makes ECC+PQ less risky than PQ for signatures. > Just like others already said on this list: some of us have customers > asking for pure algorithm options. NSA controls the cryptographic part of the world's largest military budget, plus indirect influence on non-military purchasing. This doesn't mean that the NSA+GCHQ anti-hybrid arguments are convincing, or that they're even marginally defensible. > Without showing clear and significant break of those algorithms, we > are not in a position to enforce value judgment on that behviour. That view is not consistent with, e.g., the TLS 1.3 design process, which included extensive work on proactively reducing attack _risks_ beyond the attacks that had been demonstrated. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
