On Wed, Sep 16, 2020 at 07:26:56PM +0300, Nimrod Aviram wrote: > > We also note that a related RFC exists, "Hybrid Post-Quantum Key > Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2" > [4]. However, that RFC apparently only uses BIKE, Kyber or SIKE as the > PQ KEM. To our knowledge, all three KEMs have fixed-length secrets. It > may be prudent to add cautionary language to that document as well, > in case other KEMs are used in the future.
Searching for newest available versions of finalists/alternates specifications, all have constant output lengths except Kyber (usually 32 octets, but HQC uses 64, and FrodoKEM and SIKE use 16 at Cat1 and 24 at Cat3). Kyber is a bit odd case. The spec uses raw XOF output as key, and the specification does not seem to say anywhere how long the output should be. The reference implementation always uses 32 octets as output length. So none of the finalists/alternates need variable-length secret fields. And with TLS 1.3, due to the way secret is injected into key schedule, a length field would only be strictly needed for injectivity if there are multiple variable-length subkeys. And with regards to TLS 1.2, I would just leave it. Adding PQC to TLS 1.2 is harder than adding PQC to TLS 1.3 (this is definitely not one of those "old versions for free" cases), and TLS 1.2 is pretty much obsolete anyway. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
