Hi Guilin and Valery,
> Op 7 apr 2026, om 11:12 heeft Wang Guilin > <[email protected]> het volgende geschreven: > > In addition, beside using ML-KEM to replace ML-DSA for authentication in > IKEv2, we also noticed that some other KEMs could be good candidates as well. > For example, Classic McEliece has public key sizes from 260KB to 1.36 MB, > which is huge compared to ML-KEM. However, the ciphertext sizes are just > 96-208 bytes, very short. Therefore, in the case two entities need to > authentication with each other frequently, Classic McEliece could be a good > choice to save communication overhead, by assuming that each side can store > public key or certificate of the other side. If a few MB storage is not an > issue, using Classic McEliece as KEM based authentication may be even > practical for IoT devices with constrained capability, but only communicating > with fixed parties. > > Table 6 in [1] gives the exact sizes of Classic McEliece variants. I think that the use of Classic McEliece to avoid transmission suits IKEv2 well, since it supports some “Certificate” formats such as the hash-and-url scheme that very naturally work for this out-of-band distribution of public keys. Of course this mechanism will also be useful for UOV-style schemes that have very large public keys but small signatures. Cheers, Thom
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
