On Fri, Feb 27, 2026 at 10:45:02PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > >> - There does not seem to be any evidence that ML-KEM is weak. I think > >> that if ML-KEM gets badly broken, it will be for unforeseeable reasons > >> (which is a risk for any cryptographic algorithm, including prime- > >> field ECC). > > > > Except that for a hybrid mode, both ML-KEM and ECC must be broken > > simultaneously. > > ECC break under CRQC is a-given. Which should matter for PQC context. > As has been repeated countless times.
The fundamental disconnect is that there are: - participants who do not believe CRQC are happening any time soon - participants who do believe CRQC are happening soon (for some value of soon) and - participants who worry that NSA might have a cryptanalysis of ML-KEM-768 that has it have a strength of, say, 2^70ish - participants who do not worry that NSA might have a cryptanalysis of ML-KEM Given that, the only aproach that will please all sides is to stick to hybrids. But then there are participants who insist on pure PQ because of performance, CNSA 2.0, etc. -- not terribly good reasons. I don't know how you break this impasse, but "repeat[ing] countless times" is not a good answer. Cheers, Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
