| Dear Deirdre,
This isn’t very important, but putting aside ML-KEM’s massive key size increase over X25519, the claim that ML-KEM is almost twice as fast as X25519 is highly dependent on hardware optimizations, as far as I’m aware, and is not always true.
It could become increasingly universally true over the coming years though, as hardware optimizations to accommodate ML-KEM become more common. For example, I think Apple hardware recently implemented SHA3 as a CPU instruction, and that certainly would give ML-KEM a big speed boost! Nadim Kobeissi Symbolic Software • https://symbolic.software > In particular when the use of hybrid crypto comes with negligible overhead, as for ML-KEM + ECC.
> Am 27.02.2026 um 21:16 schrieb Ilari Liusvaara <[email protected]>:
> - There does not seem to be any evidence that ML-KEM is weak. I think
> that if ML-KEM gets badly broken, it will be for unforeseeable reasons
> (which is a risk for any cryptographic algorithm, including prime-
> field ECC).
Except that for a hybrid mode, both ML-KEM and ECC must be broken simultaneously.
I think it is unwise to rely *only* on ML-KEM (or any other scheme based on relatively new hardness assumptions), and currently do not support any draft that does not use hybrid cryptography. In particular when the use of hybrid crypto comes with negligible overhead, as for ML-KEM + ECC.
For almost every broken cryptosystem there was a time when there seemed to be no evidence that it is weak. ML-KEM still needs to stand the test of time.
Best regards,
Tibor
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
|
