Blumenthal, Uri - 0553 - MITLL writes: > Given how the two (KEM and DSA) are used, and what threats may exist > against each of them, I think itâs perfectly fine to use PQ instead of > ECC+PQ here.
Hmmm. I don't see where your previous anti-hybrid argument (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/rL9T8mpAkMs/m/i3QKJYZbEAAJ) distinguishes encryption from signatures. Are you saying that you're now in favor of hybrids for encryption but not for signatures? What's the relevant difference? On the pro-hybrid side, here's the common-sense argument again, where I again don't see a difference between signatures and encryption: * With ECC+PQ encryption, an attacker with a PQ break still has to break the ECC encryption. This makes ECC+PQ less risky than PQ for encryption. * With ECC+PQ signatures, an attacker with a PQ break still has to break the ECC signatures. This makes ECC+PQ less risky than PQ for signatures. See also https://blog.cr.yp.to/20240102-hybrid.html for a more detailed analysis, again covering both cases. Of course, the concrete examples (such as SIKE) vary between signatures and encryption. ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
