Shameless plug, but have you looked at constructions like Disco (https://eprint.iacr.org/2019/180) that target specifically this issue?
David On Tue, Feb 26, 2019 at 10:04 PM Hanno Böck <ha...@hboeck.de> wrote: > > I think I have raised my concerns before, but I have serious doubts > there's real need for such ciphersuites. > > The reasoning seems to be that performance constrained devices are > unable to do "normal" TLS. I don't have benchmarks, but it's my > experience that people vastly overestimate the costs of symmetric > encryption operations (by far the largest computational cost of TLS is > the asymmetric handshake). I wonder if the people who believe they need > an authentication only ciphersuite ever ran tests. > > I also see a non-neglegible risk in standardizing such ciphersuites. > Some implementations will end up adding them and coupled with > implementation flaws we may end up in a situation where inadvertently > insecure ciphersuites are chosen. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
