IETF wants non-hybrid lattice key exchanges in TLS
We've expected that lattice KEMs would only be used in hybrid combination with establish elliptic curve key exchanges, which ameliorates any weakness in the lattice KEM. In particular, there exist worse side channel attacks upon lattice KEMs than upon elliptic …