On Wed, Feb 25, 2026 at 09:38:59PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> > Admittedly your answer (reported here below) was not addressing my concerns.
>
> > . . . . .
>
> > A hybrid still has a chance of being secure if old good crypto would be
> > successfully attacked, so your argument does not stand.
>
> Let me repeat myself. If the data must remain secure for a long time, then the
> Classic part does not help, and the security of that data lies solely within
> the PQ component. Which part of this “does not stand”?
>
>
> The only difference the Classic part makes is probably preventing the data
> from
> being compromised early — which for long-time-valuable data is not enough.
>
I agree that it's nothing to rest on but even then it does make attacks
more expensive as the ECC keys are ephemeral.
> (This extra protection usually does not hurt, but in several use cases it does
> not help, and it adds the cost of introducing extra complexity in codebase and
> infrastructure management. For some — it is OK, so there’s tls-ecdhe-mlkem
> draft, that nobody objects to. For others — it is not OK, their needs are
> addressed by tls-mlkem.)
>
One problem with this draft is exactly that the motivation is still lacking.
What is an example of these "others" that need the ML-KEM key be fully exposed?
> > To build confidence in RSA took 20 years or more. I do not expect that PQC
> > will have such a remarkably different path.
>
> You must have missed one of my previous emails — let me (again) repeat myself:
>
> System Standardized
> Proposed Lag-to-Standardization
> Math-Studied-For-How-Long
> RSA 1977 ~1993–1995 ~15–20 years Number theory: 2000+
> years
> ECC 1985 ~1998–2000 ~13–15 years Elliptic curves: ~150
> years
> Lattice 1996 2022–2024 ~25 years Lattices: ~150–200
> crypto years
>
> McEliece 1978 2024 ~46 years Codes:
> ~60-75 years
>
> I hope this table is self-explanatory, and addresses your comment.
>
Just pointing to the time that has passed misses (at least) two important
aspects
* Lattice-based crypto has been marred by patents since the beginning. While it
was fun to attack NTRU in particular because it was patented, this status did
slow down a lot of the research. It was not long before the NIST competition
started (and before the NTRU patent would have expired anyways) that they
removed the restrictions.
* We see in cryptanalysis results that we haven't reached stability, yet.
That's why I recommend to use level 3 and up, and ideally level 5, to have
some security margin, and of course to combine with ECC.
ECC security was stable for a long time before wide-spread adoption started in
the mid 2000s. The main change was that there had been a patent deal between
Certicom and the NSA that made using ECC possible, that some research managed
to route around the patents (which e.g. led to the Brainpool curves), and that
some patents expired. In the ECC case the enhanced interest didn't do any
damage to curves over prime fields, but we saw a lot happening for composite
fields.
So, the table only works if you need to convince your management but the
implied argument does not hold.
Regards
Tanja
P.S. Out of curiosity, where did you see McEliece standardized in 2024?
All the best
Tanja
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
