A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Transport Layer Security WG of the IETF.
Title : Compact TLS 1.3
Authors : Eric Rescorla
Richard Barnes
Thanks Martin. All makes sense, and I'll incorporate in a revision. Though at
this point changing the word "hybrid" to "composite" would be a rather big
rewrite so I'll omit that unless there are very strong objections to the word
hybrid.
Douglas
> On Jul 6, 2021, at 21:53, Martin Thomson
On Jul 7, 2021, at 09:26, Salz, Rich wrote:
>
> PQ OID's came up in the LAMPS working group, which seems to want to defer to
> NIST. You should maybe cross-post your note there.
Hi Rich,
Unless I'm mistaken, OIDs are relevant to TLS in the context of signatures, but
not key exchange; TLS def
Hi folks,
I have just given draft-celi-wiggers-tls-authkem-00.txt a quick
read. I'm struggling a bit with the rationale, which I take to be
these paragraphs:
In this proposal we use the DH-based KEMs from [I-D.irtf-cfrg-hpke].
We believe KEMs are especially worth discussing in the context o
Hi Eric,
The main motivation is that, in some cases, post-quantum signatures are larger
in terms of communication size compared to a post-quantum KEM, under the same
cryptographic assumption.
For example, the KEM Kyber (based on module LWE) at the 128-bit security level
has 800-byte public k
On Mon, Jul 12, 2021 at 5:58 PM Douglas Stebila wrote:
> Hi Eric,
>
> The main motivation is that, in some cases, post-quantum signatures are
> larger in terms of communication size compared to a post-quantum KEM, under
> the same cryptographic assumption.
>
> For example, the KEM Kyber (based on
Let me emphasize the reasons Douglas brought up. Note that I need to use NIST
Sec Level 5 algorithms. So, Kyber-1024 and Dilithium5 (other algorithms show
even worse ratio between KEM and signature!).
Communications costs:
- Difference in public key sizes: 1568 bytes of Kyber vs. 2592 bytes of
> So, while I'm not that enthusiastic about paying a few K, I think on balance
> it's a better than doing this kind of major rearchitecture of TLS.
+1. KEMTLS is a great scheme but significantly changes the TLS state machine.
It introduces implicit and explicit auth concepts which do not exist
Hi Uri,
If we are talking NIST Level 5 (and I am assuming you are discussing mTLS),
have you calculated the total CertVerify+cert chain sizes there assuming 2 ICAs
let's say?
And would constrained devices or mediums that sweat about 5KB really be able to
support PQ KEMs and Sigs at NIST Level
> If we are talking NIST Level 5 (and I am assuming you are
> discussing mTLS),
Yes. ;-)
> ...have you calculated the total CertVerify+cert chain sizes
> there assuming 2 ICAs let's say?
More or less. ;-)
My use case has all the ICAs pre-loaded - the transmitted chain contains only
one entit
10 matches
Mail list logo
