>>> Is the size of QSKE blob that the responder has to return to initiator 
>>> likely
>>> to be either unknown to the initator or very different than the
>>> initiator->responder direction?

I believe Daniel has touched on this. But let me add more information on this 
specific query. There are two kinds key-exchange mechanism for post-quantum 
algorithms, namely Diffie-Hellman-like and KEM. For DH-like, from what we 
investigated so far, the public data is pretty much of equal size for both 
directions. On the hand, for KEM, this could be very asymmetric. The blob sent 
by the initiator to responder could be 1MB in size, and this is the public-key 
of the initiator. The responder then needs to sample some random data, encrypt 
it and send it back to the responder. The size of this ciphertext could well 
just be 1KB. Because the size of this ciphertext is dependent on the size of 
the random data, a KEM algorithm may need to specify the size of the random 
data. It could be similar to the case of ENCR where there is an attribute to 
specify the key size, or it could be fixed.

In both cases, once the parameters are agreed, the blob size is known in 
advance.

CJ

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to