Hi Thom, Hi Guilin and Valery,
Op 7 apr 2026, om 11:12 heeft Wang Guilin <[email protected]> het volgende geschreven: In addition, beside using ML-KEM to replace ML-DSA for authentication in IKEv2, we also noticed that some other KEMs could be good candidates as well. For example, Classic McEliece has public key sizes from 260KB to 1.36 MB, which is huge compared to ML-KEM. However, the ciphertext sizes are just 96-208 bytes, very short. Therefore, in the case two entities need to authentication with each other frequently, Classic McEliece could be a good choice to save communication overhead, by assuming that each side can store public key or certificate of the other side. If a few MB storage is not an issue, using Classic McEliece as KEM based authentication may be even practical for IoT devices with constrained capability, but only communicating with fixed parties. Table 6 in [1] gives the exact sizes of Classic McEliece variants. I think that the use of Classic McEliece to avoid transmission suits IKEv2 well, since it supports some “Certificate” formats such as the hash-and-url scheme that very naturally work for this out-of-band distribution of public keys. Of course this mechanism will also be useful for UOV-style schemes that have very large public keys but small signatures. Hash-and-URL was indeed considered while writing the draft as a way to avoid sending large data. But with pre-provisioned certificates the “URL” part becomes unnecessary (as opposed to the cashed certificates). RFC 7296 is unclear whether this part can be omitted at all, but this can be easily clarified as a corner case for the Hash-and-URL encoding, when only hash is present. Alternatively, some “dummy” URL can be included, but this looks like a hack. Regards, Valery. Cheers, Thom
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
