|
|
Log in / Subscribe / Register

Hybrid should be required

Hybrid should be required

Posted Dec 9, 2025 19:31 UTC (Tue) by david.a.wheeler (subscriber, #72896)
Parent article: Disagreements over post-quantum encryption for TLS

At this point in time, I think hybrid should be the only allowed approach. PQC algorithms are far less mature, as evidenced by SIKE. Hybrid is the only way to ensure we aren't making things worse by using new, less mature algorithms.

to post comments

Hybrid should be required

Posted Dec 9, 2025 23:32 UTC (Tue) by hailfinger (subscriber, #76962) [Link] (2 responses)

Does that mean you want to disallow pure-RSA and pure-ECC as well?

Hybrid should be required

Posted Dec 10, 2025 1:16 UTC (Wed) by brunowolff (guest, #71160) [Link] (1 responses)

There are actually use cases for RSA and ECC only. They require enough less resources than PQ algorithms that it might matter. For systems with secrets that expire quickly, PQ protection may not be important, since as far as we know there aren't currently any PQ machines that can break currently used key sizes for RSA and ECC. The converse isn't true, as there is very litte extra relative cost to adding RSA or ECC to a PQ algorithm and there is significant safety added by doing so.

Hybrid should be required

Posted Dec 10, 2025 11:52 UTC (Wed) by hkario (subscriber, #94864) [Link]

ML-KEM-768 is actually faster than X25519, ECDH with P-256, not to mention FFDH 2048...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds