>> - There does not seem to be any evidence that ML-KEM is weak. I think >> that if ML-KEM gets badly broken, it will be for unforeseeable reasons >> (which is a risk for any cryptographic algorithm, including prime- >> field ECC). > > Except that for a hybrid mode, both ML-KEM and ECC must be broken > simultaneously.
ECC break under CRQC is a-given. Which should matter for PQC context. As has been repeated countless times. > I think it is unwise to rely *only* on ML-KEM Then don’t — nobody is making you to. But don’t make decisions for somebody else, who — I assure you — knows what s/he is doing (and isn’t trying to impose her “wise/unwise” upon you!).
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
