On Sep 21, 2015, at 10:43 PM, Hubert Kario <hka...@redhat.com> wrote: > >> I doubt anyone would really want to use any keys in the megabyte range >> anyway. Post-quantum crypto research/experimentation for TLS & other >> network protocols should really focus on systems with smaller keys. >> Even if a giant-key scheme was ideal, you'll have a very hard time >> convincing people to actually use it, no matter how much they might >> need it. :/ > > true, that being said, I can see 64KiB total being limiting for > different stuff in the future > > and while sending 2MiB packets as "just a hello" is unlikely, I can see > us sending 64KiB or 128KiB packets...
Bernstein et al. needed 64 KiB public keys for McBits [http://binary.cr.yp.to/mcbits-20130616.pdf]. We needed 4 KiB public keys for ring learning with errors [https://eprint.iacr.org/2014/599]; a switch to learning with errors would make the keys much bigger, but I can't say how much bigger at this point. It is too soon to rule out 64 KiB or larger public keys, although getting smaller key sizes is a very important goal for post-quantum crypto research. Douglas _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
