--
V/R,
Uri
There are two ways to design a system. One is to make it so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
>nnerEndI very much appreciate having a concrete hybrid scheme that is
>intentionally not generic.
Totally agree.
> This avoids the explosion of ciphertext suites that would otherwise occur,
> and allows for better compatibility of libraries.
> Fixing the key sizes to ML-KEM 768 and X25519 is aligned with our preferred
> choices as well, and further increases interoperability.
Yes.
Except that I want also an option with ML-KEM 1024.
On Thu, Jan 11, 2024 at 9:31 AM Salz, Rich <[email protected]>
wrote:
I'm going to echo Bas to highlight that X-Wing is not generic to any IND-CCA
KEM, it is a particular primitive construction based on the internal
construction of ML-KEM in particular:
I don’t think it’s our place to try to shoe-horn everything into one construct.
Particularly when we are in the experimentation phase of things.
If people want to have ML-KEM as a material in their composites, it sounds like
they might want to learn from X-Wing, but not try to chop them to fit into that
one keyhole, as it were.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
--
Sophie Schmieg | Information Security Engineer | ISE Crypto |
[email protected]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
