Hi, I think the argument was that many of the PQ algorithms have been broken by non-quantum computers, so the hybrid approach is better.
It's named after a distant relative (we are all related), so I know it: https://en.wikipedia.org/wiki/Sayre%27s_law I don't see any reason for a non-hybrid approach. thanks, Rob On Wed, Feb 25, 2026 at 2:27 PM Blumenthal, Uri - 0553 - MITLL < [email protected]> wrote: > >> Admittedly your answer (reported here below) was not addressing my > concerns. > > > . . . . . > > > A hybrid still has a chance of being secure if old good crypto would be > successfully attacked, so your argument does not stand. > > > Let me repeat myself. If the data must *remain secure for a long time*, > then the Classic part does not help, and the security of that data lies > solely within the PQ component. Which part of this “does not stand”? > > > > > Isn't the point that the pure PQ ones might be broken by conventional > computers > > (and they have in the past)? That's my understanding of the argument. > > The point is that if the data requires protection against CRQC — then if > “pure” PQ is broken, the data is compromised no matter what. Because the > Classic component will protect it *at best* until CRQC, at worst — even > before that. > > Many algorithms, both Classic and PQ, have been broken in the past. The > current standards (Classic and PQ) haven’t. > Please take a look at the timeline table in the email you were responding > to. >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
