alt Hacker NewsBasically the idea is use hybrid. AES-GCM-256 or ChaCha20-Poly1305 for symmetric encryption (which is already PQ-safe), and ML-KEM looks set to become the standard for key encapsulation.
ML-KEM-768 is fast as an algorithm, faster than X25519 in terms of pure computation, but uses large keys, so has higher overheads on small payloads. Most of the time, they’re about equal, or the absolute time is so slow it doesn’t matter.
Most folks now are doing hybrid ML-KEM and X25519 to guard against undiscovered flaws in ML-KEM.
Replies
cube2222 • today at 10:02 AM
It’s worth noting that e.g. the Go stdlib has this hybrid construction built-in via crypto/hpke.
d1sxeyes • today at 11:35 AM
So low not so slow
For people reading this, you may want to know the the NSA is allegedly trying to weaken hybrid ML-KEM and X25519 down to just ML-KEM. This is a good thing to pay attention to!
Here is a 6-part article about the topic: https://blog.cr.yp.to/20251004-weakened.html