• Category: Security
  • Status: discussion
  • Sources: Understanding lattice risks, action page, HN discussion
  • Summary: Daniel J. Bernstein published an argument and call to action against IETF endorsement of solo ML-KEM in TLS, framing it as a weakening of the deployed ECC plus ML-KEM hybrid. His case rests on the history of broken post-quantum candidates (SIKE was broken after deployment to millions of connections) and on hybrid key exchange as defense in depth if the lattice layer fails. He characterizes the push toward non-hybrid post-quantum key exchange as driven by NSA and GCHQ.
  • Why it matters: The hybrid-versus-non-hybrid choice sets the default post-quantum key-exchange posture for TLS libraries and the browsers and servers that depend on them.
  • Follow-up: Track the IETF TLS working group position on non-hybrid ML-KEM and any library defaults that follow.

Send feedback on this story