Hi Yaroslav, I am certain that the answer to your question has already been discussed on this list many times. But just as a useful recap:
Hybrid constructions are insurance against our uncertainty about lattice problems. What hybrid (e.g., X25519MLKEM768) protects against vs. ML-KEM alone: 1. Catastrophic cryptanalytic break of ML-KEM (classical or quantum) ML-KEM is based on Module-LWE, which is well-studied but relatively young compared to ECDH. If a structural weakness is found in lattice-based schemes — whether exploitable classically or via a quantum algorithm beyond Shor — the ECDH component still provides security at its classical level. This is the primary motivation: hedge against algorithm risk in a scheme we have less confidence in historically. 2. Implementation/side-channel attacks targeting only one primitive If an implementation flaw, fault attack, or side-channel leak compromises one component's shared secret, the other still contributes entropy. The combined shared secret (derived via HKDF over both shares) remains secure. This isn't a guarantee — correlated implementation bugs could affect both — but it reduces the attack surface. Nadim Kobeissi Symbolic Software • https://symbolic.software > On 20 Feb 2026, at 2:56 PM, Yaroslav Rosomakho > <[email protected]> wrote: > > On Fri, Feb 20, 2026 at 8:33 AM Nadim Kobeissi <[email protected]> > wrote: >> I am in all honesty completely baffled by the highly unusual insistence to >> adopt this draft. As I understand it: >> >> - Hybrid constructions protect us from classes of attacks that pure-PQ >> constructions do not protect us against. > > Can you please clarify what classes of attacks you are referring to and how > will those classes of attacks be mitigated once CRQC comes into existence? > > -yaroslav > > > This communication (including any attachments) is intended for the sole use > of the intended recipient and may contain confidential, non-public, and/or > privileged material. Use, distribution, or reproduction of this communication > by unintended recipients is not authorized. If you received this > communication in error, please immediately notify the sender and then delete > all copies of this communication from your > system._______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
