Stephen, I don’t think attempting to develop consensus in this case would be either useful or productive.
It is obvious that pure PQ KEMs are the future, when CRQC becomes “more” real. Some respected cryptographers are convinced that it is the optimal solution for now as well. Some other respected cryptographers insist on combining PQ KEM with a classic one, at least until <CRQC arrives? They’re become convinced somehow that ML-KEM is invulnerable to classic attack?>. Both camps based their conclusions on solid reasoning (some of which I disagree with, but all of which I respect), and are well-aware of the arguments of the opposing group. Their positions are not of ignorance, and are extremely unlikely to change. Thus, I don’t think there’s a way to bring these two camps together, nor do I see a need for that. Let TLS offer both hybrid and pure KEMs. And be done with it. — Regards, Uri Secure Resilient Systems and Technologies MIT Lincoln Laboratory > On Dec 14, 2024, at 19:29, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > Hiya, > > On 15/12/2024 00:07, Blumenthal, Uri - 0553 - MITLL wrote: >> Those who agree with BSI – let them use Hybrid KEM, as they have their >> reasons. >> Those who agree with NSA – let them use pure ML-KEM, as they have their >> reasons > > FWIW, my opinion is that the IETF and the TLS WG ought (try) develop our > own consensus position on this and related topics. > > Cheers, > S. > > > > > > <OpenPGP_signature.asc>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
