Comment by throw0101d

3 days ago

> DJB supports the use of ML-KEM in TLS, but he correctly says that using only ML-KEM is unwise

Then don't use it if you don't want to? Use hybrid? ML-KEM (CRYSTALS-Kyber) is a NIST standard, FIPS 203:

* https://csrc.nist.gov/pubs/fips/203/final

* https://en.wikipedia.org/wiki/ML-KEM

There's also HQC, FIPS 207:

* https://csrc.nist.gov/presentations/2025/fips-207-hqc-kem

Unless you're doing government work, there's no reason why you'd be force to use Officially Approved™ algorithms:

* https://en.wikipedia.org/wiki/Commercial_National_Security_A...

If the (US) government wants to use (allegedly) compromised algorithms with-in itself that's up to them. The rest of us can use whatever we want.