> Even with Recommended=N, I can imagine many managers reacting to a > presentation on "YOU NEED TO USE PQC LIKE ML-KEM BECAUSE ELSE..." by googling > "deploy ML-KEM now" and being recommended this rather than a safer hybrid[1]. > I am not convinced that such a person, if given more knowledge, "doesn't want > to do that". > [1] After all, the manager was told to deploy MLKEM, not this suspicious > X25519MLKEM, whatever scam that must surely be.
Really? I asked ChatGPT "Should I use MLKEM alone or a hybrid ECC + PQC combination?" and received the following balanced reply: The decision between using ML-KEM (Kyber) alone or a hybrid ECC + PQC combination depends on your specific security and performance requirements. Considerations for Each Approach: ML-KEM (Kyber) Alone ✅ Pros: Post-quantum security: ML-KEM (Kyber) is designed to resist quantum attacks, unlike ECC. Simpler implementation: Using just one algorithm reduces complexity. More future-proof: ECC could become obsolete when quantum computers become practical. ❌ Cons: Less tested in the real world: Though NIST has standardized Kyber, it's still relatively new compared to ECC. Potential hidden vulnerabilities: Post-quantum cryptography (PQC) is evolving, and new attacks might emerge. Hybrid ECC + PQC Combination ✅ Pros: Strongest security option: If ML-KEM is broken, ECC still provides security (and vice versa). Defense in depth: Combining a well-established (ECC) and a new (PQC) algorithm increases resilience. Better interoperability: Many current systems still rely on ECC. ❌ Cons: More computationally expensive: Hybrid approaches increase handshake size and latency. Complexity in implementation: Managing two key exchanges means additional attack vectors if not handled properly. Which Should You Choose? If you need maximum security and don’t mind extra computational costs, go for hybrid ECC + ML-KEM. If you prefer a simpler, efficient, and future-proof approach, ML-KEM alone is a strong choice. If your system needs to work with existing ECC-based infrastructures while transitioning to PQC, hybrid makes sense. 💡 Current Best Practice: Many organizations (e.g., Cloudflare, AWS) are using hybrid modes during the transition to fully post-quantum cryptography. If you’re designing a system today, hybrid is the safer option for now. Y(J)S This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
