On Sun, Dec 15, 2024 at 02:33:34AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> It is obvious that pure PQ KEMs are the future, when CRQC becomes
> “more” real. Some respected cryptographers are convinced that it is
> the optimal solution for now as well. Some other respected
> cryptographers insist on combining PQ KEM with a classic one, at least
> until <CRQC arrives? They’re become convinced somehow that ML-KEM is
> invulnerable to classic attack?>.
NO, this isn't about the *theory*, it's about the *practice*. In theory
a strong PQ algorithm is also a strong classical algorithm. In
practice, it may well be too novel to place all one's eggs in one
basket.
> Both camps based their conclusions on solid reasoning (some of which I
> disagree with, but all of which I respect), and are well-aware of the
> arguments of the opposing group. Their positions are not of ignorance,
> and are extremely unlikely to change.
>
> Thus, I don’t think there’s a way to bring these two camps together,
> nor do I see a need for that. Let TLS offer both hybrid and pure KEMs.
> And be done with it. —
This may well be the outcome, I was merely voicing dissent on the threat
of banning Dan from the list.
--
Viktor.
And yes, it is rather tricky to implement Kyber/ML-KEM without side
channels introduced by the devil's latest optimising compilers. The
"clangover" attack is quite resilient, and today's work arounds are no
guarantee that the issue won't come back when the devil's compiler's get
even more evil.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
