Are you saying that you're now in favor of hybrids for encryption but not for signatures? What's the relevant difference? No, I’m still for non-hybrid PQ KEM and signatures. But I recognize (though disagreeing with) the arguments of those who want hybrid KEMs. I do not buy the arguments for hybrid signatures at all. On the pro-hybrid side, here's the common-sense argument again, where I again don't see a difference between signatures and encryption:
* With ECC+PQ encryption, an attacker with a PQ break still has to break the ECC encryption. This makes ECC+PQ less risky than PQ for encryption. And adding another KEM based on a different math concept, e.g., code-based – would decrease the risk even more. So, why not ECC+Kyber+McEliece? Where do you draw the line? I draw it on PQ itself, willing to put my eggs into the Lattice basket. * With ECC+PQ signatures, an attacker with a PQ break still has to break the ECC signatures. This makes ECC+PQ less risky than PQ for signatures. This boils down to the need to maintain infrastructure, codebase, etc. for ECC and PQ, plus the possible intricacies of their interactions – vs. the concern that the PQ part would fail while the ECC part would not . One line of thought says “the longer it’s been around – the less likely it is to fail, so ECC will last at least until CRQC”. Another view is – “ECC has been around for so long that there’s bound to be a breakthrough”. In short, you strengthened my conviction that hybrid KEMs don’t make practical sense (diminishing returns), because we know enough now about the accepted PQ algorithms to be reasonably certain that they won’t be the weakest part. As I understand, that’s the position that GCHQ and NSA took – unless you really believe that they secretly aim to weaken the crypto used by US and GB military & (especially) civilian government departments/organizations. See also https://blog.cr.yp.to/20240102-hybrid.html <https://blog.cr.yp.to/20240102-hybrid.html> for a more detailed analysis, again covering both cases. Of course, the concrete examples (such as SIKE) vary between signatures and encryption. I did. For how long has SIKE been around? Compared to, e.g., NTRU? How many Classic PKC systems came up and got broken?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
