Quantum-safe signatures: Hybrid or not? Delay or not?
It is well-accepted that with PQ KEMs, in particular ML-KEM, we need to move with urgency, and that we should deploy ML-KEM in hybrid with RSA or ECC to protect against potential algorithmic attacks. Is the same true of PQ signatures, in particular ML-DSA? We will explore the arguments why or why not. We will then explore several IETF Internet-Drafts for PQ hybrids and other PQ migration mechanisms for PKI on which the presenter is a primary author: CompositeML-DSA, CompositeML-KEM, Alt Public Keys, Chameleon certificates, external public keys, RelatedCertificateDestriptor, and of course simple multiple certificate approaches.
 
     
	
                 
                 
	
                 
	
                 
	
               
	
               
	
               
	
               
	
               
	
               
	
               
	
         
	
           
                    
         
	
           
	
           
	
           
	
           
	
           
      
    