Alicja Kario writes: > Or: > Auditor sees that P + Q system is more complex to implement and validate > than a simple Q system, therefore ML-DSA security > ML-DSA+Ed25519 security.
Therefore the deployment of CECPQ2b = ECC+SIKE should have been replaced with just SIKE? What's next, advocating the null cipher on the basis of how simple it is? See https://blog.cr.yp.to/20240102-hybrid.html for further analysis of the anti-hybrid arguments from NSA and GCHQ. The TLS WG can and should investigate the details and make its own decisions. > And even if I don't belive it, I won't be able to provide sufficient > arguments to convince the customer that the auditor is wrong. Then why is ECC+PQ such a popular way to deploy PQ, with decision-makers repeatedly pointing to the risk reduction? And why does https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf show another NSA program using two independent cryptographic layers "to mitigate the ability of an adversary to exploit a single cryptographic implementation", in NSA's words? ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
