Discussion summary

Discussions focus on NSA's influence on cryptography standards, with concerns about government overreach and the security of cryptographic methods like ECC and MLKEM. Experts debate the technical validity and implications of these standards.

What the discussion says

  • Some believe NSA's influence may compromise security standards.
  • Cryptographers are divided on the effectiveness of hybrid cryptography.
  • Concerns about government overreach in cryptography decisions.
  • Technical debates on the security of MLKEM and ECC methods.
Post quantum cryptography doesn't change NSA's endpoint hacking capabilities.
maqp
The more cryptography-literate you are, the more likely you think hybrids are silly.
tptacek

Comments

Hacker News

Disappointed that there is not more discussion about this as this looks to be a slow march to the government getting its way with a technology that will affect so many.

by lprimeisafk

if i were the nsa, I'd have spent all my research money on attacking ecc+pq, because 1. no self respecting security engineer would deploy bare pq (see cloudflare), 2. no phd research team would attack the combination (well, not before until it's too late) because that's harder than a phd requires (they will target solo pq or solo ecc). 3. it's much easier to "sell". q.e.d. this article.

by iririririr

This is completely backwards. The more cryptography-literate you are, the more likely it is you think hybrids are silly. Plenty of cryptographers think this is all bullshit, and that ECC+MLKEM makes about as much sense as an AES+Serpent cascade. It is simultaneously the case that MLKEM is far less mysterious than programmers on message boards think it is, and that conventional ECC and finite field cryptography is much more mysterious and spooky than they think it is.

(I'm only somewhat cryptography-literate and so I would myself default to a hybrid, though that opinion might change the first time I bother banging together an MLKEM implementation.)

by tptacek

Probably not. It's been ~13 years when Snowden said what the NSA is doing is going around the encryption by hacking endpoints. Post quantum cryptography doesn't change any of that. You can still lift TLS keys with exploits for transparent MITM. I'd imagine it's much better ROI to look for vulnerabilities with Mythos, than to attack the algorithms.

by maqp

  MLKEM wasn't designed by NSA, but rather by a team of highly-regarded European academic cryptographers, including Bernstein's former collaborator Peter Schwabe
As you know, teams are vulnerable to infiltration and individuals to compromise. Corruption often stems from various motives, including ideology

by slim

that's really not possible for ML-KEM. They took a well-known "boring" design, and tweaked certain internal sub-components of it. Their tweaks were good, and their analysis/exposition of it were good. So they deserve to win. But there were many essentially identical schemes (e.g. Saber and New Hope are essentially the same as ML-KEM).

To infiltrate/compromise ML-KEM, then NSA would need to do something like

1. corrupt some europeans for the literal submission, and

2. corrupt the competing submissions, which are substantially similar, and

3. corrupt the entirety of the cryptographic community so they miss a flaw in the (extremely simple tbh) 2011 paper htat kicked off hte design.

If a conspiracy requires corrupting a single person it's plausible. ML-KEM being intentionally weakend by the NSA would quite literally require corrupting like 100+ different people in different countries. it makes no sense.

by mswphd

Highly recommended reading for effectively understanding the behavior patterns of bad-faith participants in such exchanges: https://www.scribd.com/document/345154863/Guide-to-Forum-Spi...

If the link goes down, the content is available in many other places across the web under the title "The Gentleman's Guide To Forum Spies (spooks, feds, etc.)"

by anonym29

To those who say that approving or not this RFC won't make any difference:

«- Liaisons: We received liaison statements from multiple SDOs including O-RAN[2], IEEE 802.11[4] and from 3GPP[3] expressing support for the publication of draft-ietf-tls-mlkem as an RFC as they rely on the IETF to provide a stable normative reference»

(https://mailarchive.ietf.org/arch/msg/tls/ol2otAvtdDrdz_xY0_...)

by g-b-r

If a US three letter agency recommends it, I don't want it.

by potatototoo99

Didn't the FDA used to recommend pasteurizing milk?

by some_furry

the NSA also recommends elliptic curve cryptography, and designed SHA2 themselves. if you want we can talk through how to disable all of these ciphersuites, so you can be stuck with a bunch of shitty stuff from the 90s and feel warm and fuzzy about it.

by mswphd

DJB keeps calling the IETF consensus process "voting". That's detrimental to his own case; when there is a vote, the vote can be manipulated. It makes much more sense to argue there is no consensus, which should be quite obvious at this point, and which can be argued even in a "60:40" situation regardless of direction. It also avoids alienating "true IETF believers" (ed.: I am one).

Apart from that, the crux of this is the codepoint allocation in the named group registry. [https://www.iana.org/assignments/tls-parameters/tls-paramete...] The requirement for that allocation (with "recommended=N" - which is what this draft has) is "Specification Required", not "IETF consensus". "Specification" for IANA registries doesn't mean IETF documents, it means:

  […] must be documented in a permanent and readily
  available public specification, in sufficient detail so that
  interoperability between independent implementations is possible.
[https://datatracker.ietf.org/doc/html/rfc8126#section-4.6]

As such I don't understand why the authors are so intent at ramming this through the IETF process when they could just put the same document whereever. The process has been sufficiently and publicly fraught enough to destroy any "reputation" that might (or might not) come associated with it being published as IETF RFC.

[ed.: referenced wrong registry, it's named groups, not cipher suites. Makes no difference, same registration procedure.]

FTR, the only [preliminary] entry with recommended=Y for PQ crypto is:

  4588  X25519MLKEM768  Combining X25519 ECDH with ML-KEM-768  https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-mlkem-05
[ed.2: this is getting a funky spread of up & down votes, any of the downvoters mind commenting why they're downvoting?]

by eqvinox

Sadly, a similar myth/fallacy persists about the Wikipedia consensus process (at least the English project and others deriving policy from it.)

Participants in disputes and RFCs literally call their comments “!vote” in true hacker notation, to repeatedly and clearly emphasize that “vote count” is never a factor in the process of establishing consensus.

(Elections are, however, regularly held, and votes counted, for positions such as Administrator, and the ArbCom seats, but that’s for people, not article content.)

by ButlerianJihad

The issue with saying that "there's a 60/40 split, therefore there's no consensus" is that the IETF explicitly documents that that isn't the case: RFC 7282, Section 7, "Five people for and one hundred people against might still be rough consensus" (https://datatracker.ietf.org/doc/html/rfc7282#section-7).

The working group chairs have to decide if all of the objections have been "addressed". However, "addressed" doesn't mean "fixed via changes in the document", it can also mean "debunked on the mailing list" or "dismissed out of hand as irrelevant". So your argument that there obviously isn't consensus doesn't actually hold up.

by phasmantistes

Adding a little color here... There are already code points registered for pure ML-KEM on the basis of the draft.

The hybrid code point you reference is "preliminary" in the sense that when the RFC for hybrid ECC/ML-KEM is published (it's already been approved, https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/), it will replace the reference in the registry. However, it will have the same code point and the same semantics. If, for some reason, the IETF were to change the semantics, a new code point would have to be assigned for interop reasons.

by ekr____

By dint of not including a list of non-cryptographer cosigners, this one is prima facie somewhat less cringe.

by tptacek

> Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES

Is this true? The NSA pushed for weaker cryptography it could break versus stronger cryptography our adversaries couldn't?

by JumpCrisscross

Sure. Everbody knows that

by rurban

as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known.

https://en.wikipedia.org/wiki/NOBUS

note that there is no even candidate way the NSA would have a NOBUS-type vulnerability for ML-KEM. DUAL_EC_DRBG was known to plausibly have a NOBUS-style backdoor prior to standardization, provided you used a certain "default" generator (vs freshly generating your own). It was later discovered that the NSA payed RSA (the company) to do this.

While this payment was private, the possibility of a back door was publicly known. There are no publicly known candidate backdoors for ML-KEM. The broad design of an ML-KEM-like scheme permits one ("static" matrix A), but ML-KEM was specifically designed to make this impossible ("ephemeral" matrix A).

by mswphd

It's complicated. The federal government pushed for a smaller DES key size, but also fixed the DES s-boxes to resist differential cryptanalysis.

by tptacek

This post was pretty technical. Let's explain a couple of terms:

ML-KEM -- Module-Lattice-Based Key-Encapsulation Mechanism

ML-DSA -- Module-Lattice-Based Digital Signature Algorithm

solo PQ -- Using post-quantum crypto on its own

ECC+PQ -- Using post-quantum crypto as a layer on top of traditional elliptical curve cryptography (ECC)

So what's at stake here, is that the PQ crypto is not proven yet, and had recent implementation vulnerabilities (Kyberslash 1 & 2).

In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc. Perhaps they know something we don't. They have sometimes acted to strengthen public cryptography, as with the DES S-boxes and differential cryptanalysis. Of course, they also weakened the key-space...

by avidiax

> In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc

Actually, Dr. Nadim Kobeissi formally proved that hybrid is secure, even if ML-KEM fails. [1]

[1] https://eprint.iacr.org/2026/1147

by rasengan

1. Kyberslash is mostly marketing. Some implementations (including the Kyber reference implementation, but *not* including the Kyber AVX implementation) had a non-constant time component. This is a meaningful CVE. It is not some fundamental weakness that should cause a panic. Note that the non-constant time implementations were caught ~2 years ago, prior to any deployment. So it was a sign of everything going "as expected", not of some new fundamental issue.

2. combining the cryptosystems, in most settings, is rather low cost. I would personally recommend it as a sensible default. It is not low cost in every setting though, for example in hardware it necessitates both a SHA2 and SHA3 impl, which is fairly expensive. So while hybrids are a sensible default, I would not go as far as to attempt to "ban" use of pure ML-KEM.

3. pure ML-KEM is much more "proven" than people are discussing. The core hardness assumption dates back to 2005, and has been intensely studied (the paper introducing it got a cryptography version of a Nobel prize (Godel prize), as did several follow-up works only achievable using that hardness assumption. The essential components of ML-KEM were proposed in ~2011. An extremely similar scheme (New Hope) was deployed experimentally in a hybrid in Chrome in 2016. Very concretely, the best theoretical attacks on ML-KEM take time ~2^cn for a c that has not changed in the last ~decade. Everything is as boring as you might hope.

On essentially any reasonable measure you could ask for, things have been "stable" with ML-KEM for ~1 decade. In the intervening years, a number of academics/companies have devoted a great deal of money on things built from even more sketchy hardness assumptions (I'm discussing the things underlying Fully Homomorphic Encryption). Even these have been essentially fine (I have some personal quibbles with some assumptions used, though they are technically dense, and are not relevant to ML-KEM in the slightest). So this is to say that there are natural "easier instances" of the thing underlying ML-KEM, and there still haven't been successful attacks of those instances.

Anyway though, the question isn't "should you use pure ML-KEM rather than hybrid". I would personally suggest hybrid unless it is extremely limiting for some particular scenario (and there are scenarios, such as hardware, where it is). The question is "should we standardize how pure ML-KEM TLS works, so implementors can create interoperable implementations?".

The answer to this should (clearly) be yes. ML-KEM is boring, high-quality cryptography. If a quantum computer appeared tomorrow, and only ML-KEM protected me, I would not lose any sleep personally. Efforts to delay standardization rely on "arguments" that do not match reality in the slightest.

by mswphd

France and Germany propose hybrid schemes as well: The german position:

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...

"The quantum-safe mechanisms recommended in this Technical Guideline are generally not yet trusted to the same extent as the established classical mechanisms, since they have not been as well studied with regard to side-channel resistance and implementation security. To ensure the long-term security of a key agreement, this Technical Guideline therefore recommends the use of a hybrid key agreement mechanism that combines a quantum-safe and a classical mechanism."

The french position, also quoting the German position:

https://cyber.gouv.fr/sites/default/files/document/follow_up...

"As outlined in the previous position paper [1], ANSSI still strongly emphasizes the necessity of hybrid wherever post-quantum mitigation is needed both in the short and medium term. Indeed, even if the post-quantum algorithms have gained a lot of attention, they are still not mature enough to solely ensure the security"

by thomasdeleeuw

The IETF already has a standard hybrid scheme and it's what everybody already uses. That's not what this is about.

by tptacek

DJB has orchestrated a vote rigging campaign against this WGLC, encouraging users to join the list and vote/express their opinion and providing the exact subject header to use. Have any other sides been saying, essentially, just join the group and say you’re for/against?

He’s been moderated during the last call because of his email disclaimer/footnote, and apparently refuses to respond on list during this time. Seems like he’s playing a few steps ahead where he can (yet again) cry foul on the system and cry foul on vote rigging. Despite him being a key instigator. I’ve already seen at least one poster reference a RFC explaining how IETF consensus works and how its not a pure numbers game (5 for and 100 against can still be consensus, depending on the circumstances; the inverse also applies).

What’s his next step if the authors publish as an information RFC? He can’t stop that, right?

by yardstick

Join the discussion

Write your take first — we'll ask for email only when you're ready to publish.

  • Hacker News
  • Disappointed that there is not more discussion about this as this looks to be a slow march to the government getting its way with a technology that will affect so many.
    by lprimeisafk
  • if i were the nsa, I'd have spent all my research money on attacking ecc+pq, because 1. no self respecting security engineer would deploy bare pq (see cloudflare), 2. no phd research team would attack the combination (well, not before until it's too late) because that's harder than a phd requires (they will target solo pq or solo ecc). 3. it's much easier to "sell". q.e.d. this article.
    by iririririr
  • This is completely backwards. The more cryptography-literate you are, the more likely it is you think hybrids are silly. Plenty of cryptographers think this is all bullshit, and that ECC+MLKEM makes about as much sense as an AES+Serpent cascade. It is simultaneously the case that MLKEM is far less mysterious than programmers on message boards think it is, and that conventional ECC and finite field cryptography is much more mysterious and spooky than they think it is.

    (I'm only somewhat cryptography-literate and so I would myself default to a hybrid, though that opinion might change the first time I bother banging together an MLKEM implementation.)

    by tptacek
  • Probably not. It's been ~13 years when Snowden said what the NSA is doing is going around the encryption by hacking endpoints. Post quantum cryptography doesn't change any of that. You can still lift TLS keys with exploits for transparent MITM. I'd imagine it's much better ROI to look for vulnerabilities with Mythos, than to attack the algorithms.
    by maqp
  •   MLKEM wasn't designed by NSA, but rather by a team of highly-regarded European academic cryptographers, including Bernstein's former collaborator Peter Schwabe
    
    As you know, teams are vulnerable to infiltration and individuals to compromise. Corruption often stems from various motives, including ideology
    by slim
  • that's really not possible for ML-KEM. They took a well-known "boring" design, and tweaked certain internal sub-components of it. Their tweaks were good, and their analysis/exposition of it were good. So they deserve to win. But there were many essentially identical schemes (e.g. Saber and New Hope are essentially the same as ML-KEM).

    To infiltrate/compromise ML-KEM, then NSA would need to do something like

    1. corrupt some europeans for the literal submission, and

    2. corrupt the competing submissions, which are substantially similar, and

    3. corrupt the entirety of the cryptographic community so they miss a flaw in the (extremely simple tbh) 2011 paper htat kicked off hte design.

    If a conspiracy requires corrupting a single person it's plausible. ML-KEM being intentionally weakend by the NSA would quite literally require corrupting like 100+ different people in different countries. it makes no sense.

    by mswphd
  • Highly recommended reading for effectively understanding the behavior patterns of bad-faith participants in such exchanges: https://www.scribd.com/document/345154863/Guide-to-Forum-Spi...

    If the link goes down, the content is available in many other places across the web under the title "The Gentleman's Guide To Forum Spies (spooks, feds, etc.)"

    by anonym29
  • From the other direction, the ITU-T has a highly regarded presentation on how to actually work with consensus procedures & establish said consensus:

    https://www.itu.int/en/ITU-T/tutorials/202203/Documents/Rein...

    by eqvinox
  • To those who say that approving or not this RFC won't make any difference:

    «- Liaisons: We received liaison statements from multiple SDOs including O-RAN[2], IEEE 802.11[4] and from 3GPP[3] expressing support for the publication of draft-ietf-tls-mlkem as an RFC as they rely on the IETF to provide a stable normative reference»

    (https://mailarchive.ietf.org/arch/msg/tls/ol2otAvtdDrdz_xY0_...)

    by g-b-r
  • If a US three letter agency recommends it, I don't want it.
    by potatototoo99
  • Didn't the FDA used to recommend pasteurizing milk?
    by some_furry
  • the NSA also recommends elliptic curve cryptography, and designed SHA2 themselves. if you want we can talk through how to disable all of these ciphersuites, so you can be stuck with a bunch of shitty stuff from the 90s and feel warm and fuzzy about it.
    by mswphd
  • DJB keeps calling the IETF consensus process "voting". That's detrimental to his own case; when there is a vote, the vote can be manipulated. It makes much more sense to argue there is no consensus, which should be quite obvious at this point, and which can be argued even in a "60:40" situation regardless of direction. It also avoids alienating "true IETF believers" (ed.: I am one).

    Apart from that, the crux of this is the codepoint allocation in the named group registry. [https://www.iana.org/assignments/tls-parameters/tls-paramete...] The requirement for that allocation (with "recommended=N" - which is what this draft has) is "Specification Required", not "IETF consensus". "Specification" for IANA registries doesn't mean IETF documents, it means:

      […] must be documented in a permanent and readily
      available public specification, in sufficient detail so that
      interoperability between independent implementations is possible.
    
    [https://datatracker.ietf.org/doc/html/rfc8126#section-4.6]

    As such I don't understand why the authors are so intent at ramming this through the IETF process when they could just put the same document whereever. The process has been sufficiently and publicly fraught enough to destroy any "reputation" that might (or might not) come associated with it being published as IETF RFC.

    [ed.: referenced wrong registry, it's named groups, not cipher suites. Makes no difference, same registration procedure.]

    FTR, the only [preliminary] entry with recommended=Y for PQ crypto is:

      4588  X25519MLKEM768  Combining X25519 ECDH with ML-KEM-768  https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-mlkem-05
    
    [ed.2: this is getting a funky spread of up & down votes, any of the downvoters mind commenting why they're downvoting?]
    by eqvinox
  • Sadly, a similar myth/fallacy persists about the Wikipedia consensus process (at least the English project and others deriving policy from it.)

    Participants in disputes and RFCs literally call their comments “!vote” in true hacker notation, to repeatedly and clearly emphasize that “vote count” is never a factor in the process of establishing consensus.

    (Elections are, however, regularly held, and votes counted, for positions such as Administrator, and the ArbCom seats, but that’s for people, not article content.)

    by ButlerianJihad
  • The issue with saying that "there's a 60/40 split, therefore there's no consensus" is that the IETF explicitly documents that that isn't the case: RFC 7282, Section 7, "Five people for and one hundred people against might still be rough consensus" (https://datatracker.ietf.org/doc/html/rfc7282#section-7).

    The working group chairs have to decide if all of the objections have been "addressed". However, "addressed" doesn't mean "fixed via changes in the document", it can also mean "debunked on the mailing list" or "dismissed out of hand as irrelevant". So your argument that there obviously isn't consensus doesn't actually hold up.

    by phasmantistes
  • Adding a little color here... There are already code points registered for pure ML-KEM on the basis of the draft.

    The hybrid code point you reference is "preliminary" in the sense that when the RFC for hybrid ECC/ML-KEM is published (it's already been approved, https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/), it will replace the reference in the registry. However, it will have the same code point and the same semantics. If, for some reason, the IETF were to change the semantics, a new code point would have to be assigned for interop reasons.

    by ekr____
  • Is there anything different about this DJB mailing list brigading than the other brigading he's done?

    Four days ago: https://news.ycombinator.com/item?id=48760490

    by jauntywundrkind
  • By dint of not including a list of non-cryptographer cosigners, this one is prima facie somewhat less cringe.
    by tptacek
  • > Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES

    Is this true? The NSA pushed for weaker cryptography it could break versus stronger cryptography our adversaries couldn't?

    by JumpCrisscross
  • Sure. Everbody knows that
    by rurban
  • DJB wrote a short history of NSA’s malicious meddling in the cryptography we all use, based on a declassified internal history of the NSA.

    https://blog.cr.yp.to/20220805-nsa.html

    by philodeon
  • as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known.

    https://en.wikipedia.org/wiki/NOBUS

    note that there is no even candidate way the NSA would have a NOBUS-type vulnerability for ML-KEM. DUAL_EC_DRBG was known to plausibly have a NOBUS-style backdoor prior to standardization, provided you used a certain "default" generator (vs freshly generating your own). It was later discovered that the NSA payed RSA (the company) to do this.

    While this payment was private, the possibility of a back door was publicly known. There are no publicly known candidate backdoors for ML-KEM. The broad design of an ML-KEM-like scheme permits one ("static" matrix A), but ML-KEM was specifically designed to make this impossible ("ephemeral" matrix A).

    by mswphd
  • It's complicated. The federal government pushed for a smaller DES key size, but also fixed the DES s-boxes to resist differential cryptanalysis.
    by tptacek
  • This post was pretty technical. Let's explain a couple of terms:

    ML-KEM -- Module-Lattice-Based Key-Encapsulation Mechanism

    ML-DSA -- Module-Lattice-Based Digital Signature Algorithm

    solo PQ -- Using post-quantum crypto on its own

    ECC+PQ -- Using post-quantum crypto as a layer on top of traditional elliptical curve cryptography (ECC)

    So what's at stake here, is that the PQ crypto is not proven yet, and had recent implementation vulnerabilities (Kyberslash 1 & 2).

    In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc. Perhaps they know something we don't. They have sometimes acted to strengthen public cryptography, as with the DES S-boxes and differential cryptanalysis. Of course, they also weakened the key-space...

    by avidiax
  • > In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc

    Actually, Dr. Nadim Kobeissi formally proved that hybrid is secure, even if ML-KEM fails. [1]

    [1] https://eprint.iacr.org/2026/1147

    by rasengan
  • > Perhaps they know something we don't

    Perhaps

    https://blog.cr.yp.to/20260704-bugs.html#damage

    by g-b-r
  • 1. Kyberslash is mostly marketing. Some implementations (including the Kyber reference implementation, but *not* including the Kyber AVX implementation) had a non-constant time component. This is a meaningful CVE. It is not some fundamental weakness that should cause a panic. Note that the non-constant time implementations were caught ~2 years ago, prior to any deployment. So it was a sign of everything going "as expected", not of some new fundamental issue.

    2. combining the cryptosystems, in most settings, is rather low cost. I would personally recommend it as a sensible default. It is not low cost in every setting though, for example in hardware it necessitates both a SHA2 and SHA3 impl, which is fairly expensive. So while hybrids are a sensible default, I would not go as far as to attempt to "ban" use of pure ML-KEM.

    3. pure ML-KEM is much more "proven" than people are discussing. The core hardness assumption dates back to 2005, and has been intensely studied (the paper introducing it got a cryptography version of a Nobel prize (Godel prize), as did several follow-up works only achievable using that hardness assumption. The essential components of ML-KEM were proposed in ~2011. An extremely similar scheme (New Hope) was deployed experimentally in a hybrid in Chrome in 2016. Very concretely, the best theoretical attacks on ML-KEM take time ~2^cn for a c that has not changed in the last ~decade. Everything is as boring as you might hope.

    On essentially any reasonable measure you could ask for, things have been "stable" with ML-KEM for ~1 decade. In the intervening years, a number of academics/companies have devoted a great deal of money on things built from even more sketchy hardness assumptions (I'm discussing the things underlying Fully Homomorphic Encryption). Even these have been essentially fine (I have some personal quibbles with some assumptions used, though they are technically dense, and are not relevant to ML-KEM in the slightest). So this is to say that there are natural "easier instances" of the thing underlying ML-KEM, and there still haven't been successful attacks of those instances.

    Anyway though, the question isn't "should you use pure ML-KEM rather than hybrid". I would personally suggest hybrid unless it is extremely limiting for some particular scenario (and there are scenarios, such as hardware, where it is). The question is "should we standardize how pure ML-KEM TLS works, so implementors can create interoperable implementations?".

    The answer to this should (clearly) be yes. ML-KEM is boring, high-quality cryptography. If a quantum computer appeared tomorrow, and only ML-KEM protected me, I would not lose any sleep personally. Efforts to delay standardization rely on "arguments" that do not match reality in the slightest.

    by mswphd
  • France and Germany propose hybrid schemes as well: The german position:

    https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...

    "The quantum-safe mechanisms recommended in this Technical Guideline are generally not yet trusted to the same extent as the established classical mechanisms, since they have not been as well studied with regard to side-channel resistance and implementation security. To ensure the long-term security of a key agreement, this Technical Guideline therefore recommends the use of a hybrid key agreement mechanism that combines a quantum-safe and a classical mechanism."

    The french position, also quoting the German position:

    https://cyber.gouv.fr/sites/default/files/document/follow_up...

    "As outlined in the previous position paper [1], ANSSI still strongly emphasizes the necessity of hybrid wherever post-quantum mitigation is needed both in the short and medium term. Indeed, even if the post-quantum algorithms have gained a lot of attention, they are still not mature enough to solely ensure the security"

    by thomasdeleeuw
  • The IETF already has a standard hybrid scheme and it's what everybody already uses. That's not what this is about.
    by tptacek
  • DJB has orchestrated a vote rigging campaign against this WGLC, encouraging users to join the list and vote/express their opinion and providing the exact subject header to use. Have any other sides been saying, essentially, just join the group and say you’re for/against?

    He’s been moderated during the last call because of his email disclaimer/footnote, and apparently refuses to respond on list during this time. Seems like he’s playing a few steps ahead where he can (yet again) cry foul on the system and cry foul on vote rigging. Despite him being a key instigator. I’ve already seen at least one poster reference a RFC explaining how IETF consensus works and how its not a pure numbers game (5 for and 100 against can still be consensus, depending on the circumstances; the inverse also applies).

    What’s his next step if the authors publish as an information RFC? He can’t stop that, right?

    by yardstick

Related stories