On Fri, Feb 27, 2026 at 08:29:39PM -0500, Deirdre Connolly wrote:
> # Security Considerations {#security-considerations}
>
> This document defines standalone ML-KEM key establishment for TLS 1.3.
> Hybrid key establishment mechanisms, which support combining a post-quantum
> algorithm with a traditional algorithm such as ECDH, are supported
> generically via {{HYBRID}} with some concrete definitions in
> {{ECDHE-MLKEM}}. Hybrid mechanisms provide security as long as at least one
> of the component algorithms remains unbroken, such as combining
> quantum-resistant and traditional cryptographic assumptions. Standalone
> ML-KEM relies on lattice-based and hash function cryptographic assumptions
> -for its security.
> +for its security. Proponents of hybrid PQ/T key establishment generally
> +consider it a conservative approach to deployment of newer post-quantum
> +schemes alongside older traditional schemes, retaining at least the
> security
> +currently offered by traditional algorithms.
Some might recall that I suggested and support rewriting the security
considerations.
And yet, I see the above as damning use of hybrid PQ with faint praise.
If this is to attain some support from the sceptics, it must
unequivocally acknowledge that at present hybrid is the strongly
recommended more concervative choice, and that pure ML-KEM is a more
risky choice that should not be made lightly.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
