The question at hand is whether CNSA 2.0 will _tolerate_ ECC+PQ (of course assuming the PQ algorithm is on the CNSA 2.0 list).
Some people seem to think that purchasers under NSA control won't buy ECC+PQ products unless the ECC part is removed, and therefore the TLS WG has to adopt PQ along with ECC+PQ. I think the TLS WG should instead prioritize security. This means, e.g., rejecting the proposals for the WG to adopt non-hybrid Dilithium, even if there are crystal-clear orders from NSA to adopt it. But I also haven't seen any such orders. CNSA 2.0 states that "hybrid solutions may be allowed or required due to protocol standards, product availability, or interoperability requirements". This will be triggered if, e.g., the TLS WG issues an RFC requiring all PQ in TLS to be hybrid. aebe...@uwe.nsa.gov writes: > we expect "Expect" is ambiguous: it doesn't distinguish recommendations from requirements or from predictions. "We" is also ambiguous. For example, does "we" include the NSA office that recommends multiple independent cryptographic layers to mitigate "the ability of an adversary to exploit a single cryptographic implementation", in NSA's words? If NSA wants to prohibit ECC+PQ then it's perfectly capable of issuing an unambiguous official statement saying so. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
