Bugs happen: The easy way to compare solo PQ to ECC+PQ
8 hours ago
- #Software Vulnerabilities
- #Post-Quantum Cryptography
- #ECC+PQ Security
- ECC+PQ (hybrid) is recommended over solo PQ because solo PQ will lead to many exploitable software vulnerabilities, causing immediate security disasters.
- ML-KEM and ML-DSA implementations have already had numerous bugs and timing leaks (e.g., KyberSlash1, KyberSlash2), and more vulnerabilities are expected as they are newer and less tested than ECC software.
- Even if PQ specifications remain unbroken, software flaws in PQ libraries will expose keys, whereas an ECC layer can rescue users by delaying attacks and limiting damage.
- Quantum attacks will be expensive and limited in scale initially, so ECC provides additional protection by delaying attacks until quantum computers are available and affordable.
- The cost of adding ECC to PQ is negligible compared to PQ's own costs (e.g., X25519 adds only 32 bytes to ML-KEM's 800+ bytes), and deployment examples (like Cloudflare) show ECC+PQ is already working without delays.
- Proponents of solo PQ use flawed arguments, such as overstating complexity or costs, and ignore the value of ECC in mitigating software vulnerabilities and delaying quantum attacks.