| ▲ | throw0101d 3 days ago | |
> DJB supports the use of ML-KEM in TLS, but he correctly says that using only ML-KEM is unwise Then don't use it if you don't want to? Use hybrid? ML-KEM (CRYSTALS-Kyber) is a NIST standard, FIPS 203: * https://csrc.nist.gov/pubs/fips/203/final * https://en.wikipedia.org/wiki/ML-KEM There's also HQC, FIPS 207: * https://csrc.nist.gov/presentations/2025/fips-207-hqc-kem Unless you're doing government work, there's no reason why you'd be force to use Officially Approved™ algorithms: * https://en.wikipedia.org/wiki/Commercial_National_Security_A... If the (US) government wants to use (allegedly) compromised algorithms with-in itself that's up to them. The rest of us can use whatever we want. | ||