← Back to context

Comment by throw0101d

3 days ago

> I do not see any flaw in his arguments, while anyone who says that ML-KEM should be used alone is making a bet for which there exists no justification, i.e. the risk is extremely high and the reward is extremely low.

And who is making that 'ML-KEM alone' argument? AIUI, the IETF currently recommends hybrid.

It's on the US government talking to itself that would maybe do non-hybrid:

* https://en.wikipedia.org/wiki/Commercial_National_Security_A...

If the US government wants to compromise itself… then fine?

Also, HQC (FIPS 207) has been chosen as a backup / alternative to ML-KEM (formerly "Kyber"):

* https://www.nist.gov/news-events/news/2025/03/nist-selects-h...