On Sun, Dec 15, 2024, 10:16 AM Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote:
> >It is obvious that pure PQ KEMs are the future > > I am not sure about that. X25519MLKEM768 is already quickly becoming the > new de facto standard (google.com, ericsson.com, > > government.se, etc. are already using it, likely thanks to Cloudflare). > > > > Do you seriously expect governments and standards bodies to keep approving > X25519 component *after* CRQC existence becomes public knowledge? What > purpose would it serve then? > The question isn't "will people use this indefinitely?". It's about what they should use today to hedge risks of improvements in our understanding of modular lattice problems. > > > It is already compliant with NIST specifications and soon it will be > possible to get FIPS certification. Not clear that the benefits of > migrating from X25519MLKEM768 to MLKEM768 will be worth it performance and > marketing wise. > > > >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
