On 28.02.26 02:35, Deirdre Connolly wrote:
Trying to pull this up to its own subjectHere's a stab at more text around hybrid vs not-hybrid in Security Considerations:# Security Considerations {#security-considerations} This document defines standalone ML-KEM key establishment for TLS 1.3.Hybrid key establishment mechanisms, which support combining a post-quantumalgorithm with a traditional algorithm such as ECDH, are supported generically via {{HYBRID}} with some concrete definitions in{{ECDHE-MLKEM}}. Hybrid mechanisms provide security as long as at least oneof the component algorithms remains unbroken, such as combining quantum-resistant and traditional cryptographic assumptions. StandaloneML-KEM relies on lattice-based and hash function cryptographic assumptions-for its security. +for its security. Proponents of hybrid PQ/T key establishment generally +consider it a conservative approach to deployment of newer post-quantum+schemes alongside older traditional schemes, retaining at least the security+currently offered by traditional algorithms.
Thanks for the update. 3 significant problems with this text: * Why mention of "proponents of hybrid PQ"? Is there a single participant of the WG who believes that pure ML-KEM is more secure than hybrid? This point MUST come out absolutely clearly in the text. * A comparison needs to state the threat model and security properties that pure ML-KEM vs. hybrid actually achieve in the context of TLS 1.3. * Risks of pure ML-KEM need to be thoroughly mentioned. Thanks, -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
