I find it mildly annoying that while the post is replete with hyperlinks, the 2 central terms “ietf-tls-mlkem” and “ietf-tls-ecdhe-mlkem” are simply quoted with no further elaboration.
I am no cryptographer, but after some searching around, my very first order understanding is that mlkem is a new algorithm that is meant to be resistant to attacks by a quantum computer. It is not time-tested at this point, however, while ecdhe is a current (albeit quantum-computer-weak) algorithm that has a solid track record.
Using both in combination is seen by some as a safer way to move forward, since mlkem may yet prove to have a fatal weakness and at least you have that fallback on the tried and true. Advocates also point out that ecdhe is cheap to compute compared to mlkem, and so the overhead of tossing it in there is not the end of the world?
Anyway, that’s all I’ve been able to glean so far.
I find it mildly annoying that while the post is replete with hyperlinks, the 2 central terms “ietf-tls-mlkem” and “ietf-tls-ecdhe-mlkem” are simply quoted with no further elaboration.
I am no cryptographer, but after some searching around, my very first order understanding is that mlkem is a new algorithm that is meant to be resistant to attacks by a quantum computer. It is not time-tested at this point, however, while ecdhe is a current (albeit quantum-computer-weak) algorithm that has a solid track record.
Using both in combination is seen by some as a safer way to move forward, since mlkem may yet prove to have a fatal weakness and at least you have that fallback on the tried and true. Advocates also point out that ecdhe is cheap to compute compared to mlkem, and so the overhead of tossing it in there is not the end of the world?
Anyway, that’s all I’ve been able to glean so far.
My assumption is, if the NSA is pushing for a standard, it is not the standard that security conscious people would want adopted.