Blumenthal, Uri - 0553 - MITLL writes:
> How do you expect us to reach a consensus
Consensus on moving a hybrid PQ KEM forward? There's already WG adoption
of hybrid-design, and in general the mailing-list discussions make
hybrid PQ KEMs look like the easy case where there's ample support and
nobody actually objecting---sure, there are some important details to
look at, but the basic concept seems non-controversial.
The situation is different for non-hybrid PQ, with opposing proposals to
(1) ban non-hybrid PQ (main motivation stated: basically, the risks
of further PQ breaks), or
(2) standardize non-hybrid PQ (main motivation stated: basically,
NSA demands this).
There are various potential paths to resolving this controversy. Maybe
the easiest is to realize that the NSA-demands-this claim looks like the
sort of rumor that has a good chance of rapidly crumbling if we insist
on evidence-based decisions. It's not that anyone has quoted an official
NSA document prohibiting non-hybrid PQ. Meanwhile
https://web.archive.org/web/20240925031754/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF
is an official NSA document and says that "hybrid solutions may be
allowed or required due to protocol standards, product availability, or
interoperability requirements"; and
https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf
is an official NSA document describing an NSA program that asks for
multiple cryptographic layers to mitigate "the ability of an adversary
to exploit a single cryptographic implementation".
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
