|
|
Log in / Subscribe / Register

Hybrid should be required

Hybrid should be required

Posted Dec 9, 2025 23:32 UTC (Tue) by hailfinger (subscriber, #76962)
In reply to: Hybrid should be required by david.a.wheeler
Parent article: Disagreements over post-quantum encryption for TLS

Does that mean you want to disallow pure-RSA and pure-ECC as well?

to post comments

Hybrid should be required

Posted Dec 10, 2025 1:16 UTC (Wed) by brunowolff (guest, #71160) [Link] (1 responses)

There are actually use cases for RSA and ECC only. They require enough less resources than PQ algorithms that it might matter. For systems with secrets that expire quickly, PQ protection may not be important, since as far as we know there aren't currently any PQ machines that can break currently used key sizes for RSA and ECC. The converse isn't true, as there is very litte extra relative cost to adding RSA or ECC to a PQ algorithm and there is significant safety added by doing so.

Hybrid should be required

Posted Dec 10, 2025 11:52 UTC (Wed) by hkario (subscriber, #94864) [Link]

ML-KEM-768 is actually faster than X25519, ECDH with P-256, not to mention FFDH 2048...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds