We want to protect chats against harvest now/decrypt later threats.
To do this we'll use a hybrid PQ ciphersuite which uses a quantum resistant KEM but keeps classical signatures in order to keep the over size/bandwidth penalty to a minimum.
Check out https://www.ietf.org/archive/id/draft-ietf-mls-pq-ciphersuites-01.html for more details on the PQ ciphersuites for MLS. We'll most likely use the MLS_128_MLKEM768X25519_AES256GCM_SHA384_Ed25519 in addition to the basic (and required) ciphersuite that we currently use.
We want to protect chats against harvest now/decrypt later threats.
To do this we'll use a hybrid PQ ciphersuite which uses a quantum resistant KEM but keeps classical signatures in order to keep the over size/bandwidth penalty to a minimum.
Check out https://www.ietf.org/archive/id/draft-ietf-mls-pq-ciphersuites-01.html for more details on the PQ ciphersuites for MLS. We'll most likely use the
MLS_128_MLKEM768X25519_AES256GCM_SHA384_Ed25519in addition to the basic (and required) ciphersuite that we currently use.