Dear all, After Valery's presentation on our KEM based authentication in IKEv2 draft at 125 meeting in Shenzhen, Scott asked if the performance gains would be sufficient to justify the additional complexity that this adds. Valery replied that this needs to be evaluated adoption calls, and also pointed out that this kind of authentication offers two new properties: it is complete repudiation and protects initiator’s privacy better (as the responder reveals its identity first).
In addition, beside using ML-KEM to replace ML-DSA for authentication in IKEv2, we also noticed that some other KEMs could be good candidates as well. For example, Classic McEliece has public key sizes from 260KB to 1.36 MB, which is huge compared to ML-KEM. However, the ciphertext sizes are just 96-208 bytes, very short. Therefore, in the case two entities need to authentication with each other frequently, Classic McEliece could be a good choice to save communication overhead, by assuming that each side can store public key or certificate of the other side. If a few MB storage is not an issue, using Classic McEliece as KEM based authentication may be even practical for IoT devices with constrained capability, but only communicating with fixed parties. Table 6 in [1] gives the exact sizes of Classic McEliece variants. We are appreciated your comments and opinions on the above issues/ideas. Cheers, Guilin & Valery, [1] https://datatracker.ietf.org/doc/draft-prabel-pquip-pqc-overview/ -----Original Message----- From: [email protected] <[email protected]> Sent: Monday, 2 March 2026 10:49 pm To: Wang Guilin <[email protected]>; Wang Guilin <[email protected]>; Valery Smyslov <[email protected]> Subject: New Version Notification for draft-wang-ipsecme-kem-auth-ikev2-03.txt A new version of Internet-Draft draft-wang-ipsecme-kem-auth-ikev2-03.txt has been successfully submitted by Valery Smyslov and posted to the IETF repository. Name: draft-wang-ipsecme-kem-auth-ikev2 Revision: 03 Title: KEM-based Authentication for IKEv2 with Post-quantum Security Date: 2026-03-02 Group: Individual Submission Pages: 24 URL: https://www.ietf.org/archive/id/draft-wang-ipsecme-kem-auth-ikev2-03.txt Status: https://datatracker.ietf.org/doc/draft-wang-ipsecme-kem-auth-ikev2/ HTMLized: https://datatracker.ietf.org/doc/html/draft-wang-ipsecme-kem-auth-ikev2 Diff: https://author-tools.ietf.org/iddiff?url2=draft-wang-ipsecme-kem-auth-ikev2-03 Abstract: This draft specifies a new authentication mechanism, called KEM (Key Encapsulation Mechanism) -based authentication, for the Internet Key Exchange Protocol Version 2 (IKEv2). This is motivated by the fact that some post-quantum KEMs (like ML-KEM) are more efficient than post-quantum signature algorithms (like ML-DSA). The IETF Secretariat _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
