Hiya,
On 21/02/2026 23:35, Izzy Grosof wrote:
Under the probabilities I listed, the chance of a break under classical-only is 10%, under ML-KEM-only is 10%, and that hybrid is 1%. Hybrid is substantially less likely to be broken, and thus neither of the alternatives is acceptable. If you run your own numbers you'll find that hybrid is preferable by far unless you believe either that the events in which ECC-only and ML-KEM-only are broken are near-perfectly correlated, or one event is near-guaranteed to occur. I believe neither, so hybrid ML-KEM is the only acceptable option. To flesh out the argument more, we'd need to switch from single- cutoff probability of failure to consider the probability of failure year-by-year as a stochastic processes, and also to analyze the distribution of partial breaks leading to a decrease in security without it vanishing altogether, and also the relative importance of live, real-time breaks versus SNDL breaks. While this would flesh out the argument, and would certainly be worthwhile, it wouldn't change the core conclusion: hybrid is better, because a double break is less likely than a single break.
I think the above is a useful description. I note yet again that it's independent of TLS, so having to have the discussion for each protocol is us being wasteful of our own effort and attention spans. I think it's also true that one might re-evaluate the situation every few years and possibly stick with the previous conclusion or reach a new one, depending on what facts are known. All the above implies we should aim for a BCP for most protocols and not waste our time dealing with this on a per-protocol basis. (But I guess a bunch of you knew I'd conclude that:-) Cheers, S.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
