I very much appreciate having a concrete hybrid scheme that is intentionally not generic. This avoids the explosion of ciphertext suites that would otherwise occur, and allows for better compatibility of libraries. Fixing the key sizes to ML-KEM 768 and X25519 is aligned with our preferred choices as well, and further increases interoperability.
On Thu, Jan 11, 2024 at 9:31 AM Salz, Rich <rsalz= 40akamai....@dmarc.ietf.org> wrote: > I'm going to echo Bas to highlight that X-Wing is not generic to any > IND-CCA KEM, it is a particular primitive construction based on the > internal construction of ML-KEM in particular: > > > > I don’t think it’s our place to try to shoe-horn everything into one > construct. Particularly when we are in the experimentation phase of things. > > > > If people want to have ML-KEM as a material in their composites, it sounds > like they might want to learn from X-Wing, but not try to chop them to fit > into that one keyhole, as it were. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschm...@google.com
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
