I would like to register my strong objection to this working group promoting the use of non-hybrid ML-KEM in any way, or any other non-hybrid post-quantum cryptosystem. The correct course of action is to recommend against such an ill-advised decision, not standardize and (implicitly) endorse its use by doing so. If someone wants a post-quantum cryptographic suite, we shouldn't place them in the position of having to weigh the pros and cons of hybridization, splitting the field in the process: instead, we should recommend a clear and universal standard, namely hybrid-only.
The performance improvements of a non-hybrid approach are trifling; the security risks are immense, given the breadth of attempted post-quantum cryptosystems that have fallen to classical attacks; and the argument of code simplicity in fact mediates in the opposite direction: in a non-hybrid system, a single bug anywhere in the program can ruin security, which is considerably alleviated by a hybrid approach. Do not endorse or standardize any non-hybrid post-quantum cryptosystem, via this document or any other. I have been following the debates of this working group from afar for a while, but I just joined the list because I needed to respond to this last call. I am baffled that so many people are taking a stand in favor of a non-hybrid system, which is transparently unwise. For context, cryptography is not my area of research, but I did a master's degree in cryptography and have kept abreast of the major developments in the field over the intervening years. Prof. Izzy Grosof (Isaac), they/she, Tech E280, isaacg1.github.io
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
