Hasty Briefsbeta

Bilingual

Bugs happen: The easy way to compare solo PQ to ECC+PQ

8 hours ago
  • #Software Vulnerabilities
  • #Post-Quantum Cryptography
  • #ECC+PQ Security
  • ECC+PQ (hybrid) is recommended over solo PQ because solo PQ will lead to many exploitable software vulnerabilities, causing immediate security disasters.
  • ML-KEM and ML-DSA implementations have already had numerous bugs and timing leaks (e.g., KyberSlash1, KyberSlash2), and more vulnerabilities are expected as they are newer and less tested than ECC software.
  • Even if PQ specifications remain unbroken, software flaws in PQ libraries will expose keys, whereas an ECC layer can rescue users by delaying attacks and limiting damage.
  • Quantum attacks will be expensive and limited in scale initially, so ECC provides additional protection by delaying attacks until quantum computers are available and affordable.
  • The cost of adding ECC to PQ is negligible compared to PQ's own costs (e.g., X25519 adds only 32 bytes to ML-KEM's 800+ bytes), and deployment examples (like Cloudflare) show ECC+PQ is already working without delays.
  • Proponents of solo PQ use flawed arguments, such as overstating complexity or costs, and ignore the value of ECC in mitigating software vulnerabilities and delaying quantum attacks.