Scott Fluhrer (sfluhrer) writes: > I understand that people want to discuss the hybrid KEM draft more > (because there are more options there) - can we at least get the less > controversial part done?
See https://blog.cr.yp.to/20240102-hybrid.html. Using just PQ, rather than ECC+PQ, would incur security risks without improving deployment. Regarding "less controversial", you might have missed previous TLS WG messages such as https://mailarchive.ietf.org/arch/msg/tls/j1qkfNmk33OZ7hgCR53TiLmYOiA/ https://mailarchive.ietf.org/arch/msg/tls/I1GPuKLCBJ3jA-ovNcuIsLlNGkM/ https://mailarchive.ietf.org/arch/msg/tls/gB55YMMdfFLqaCE9ughNXX8qjtA/ where various people (including me, obviously) already objected. Also, you might have missed BSI writing in https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile that its post-quantum KEM recommendations are only "in combination with a classical key derivation mechanism"; commentator Matt Green writing in https://x.com/matthew_d_green/status/1742521204026622011 that NSA's "stance against hybrid encryption makes absolutely zero sense"; and NSA itself in https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf asking for two cryptographic layers "to mitigate the ability of an adversary to exploit a single cryptographic implementation". ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
