On Thu, Jan 11, 2024 at 10:48 PM Martin Thomson <m...@lowentropy.net> wrote:
> > > On Thu, Jan 11, 2024, at 07:13, Bas Westerbaan wrote: > > X-Wing aims for 128-bit security, and for that combines the time-tested > > X25519 with ML-KEM-768 [8]. X-Wing uses the combiner > > > > SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || > pk_X25519 ) > > At least for TLS, I'm not convinced that any combiner is necessary, in > line with the analysis done for draft-ietf-tls-hybrid-design. > I agree, for TLS this is not required for security. For TLS the trade-off is this: we add one single keccak permutation, so that we can eliminate the need of two different KEMs both called X25519Kyber768, which are both used in PQ TLS with PQ ECH. Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls