On 22/08/2022 14:24, Bas Westerbaan wrote:
Here they're speaking about adding non-FIPS PQ to a non-PQ FIPS kex,[2] but the other way around is also ok — what am I missing?
Let's assume Kyber is FIPS-approved. Indeed, you'll be able to have a FIPS library with Z generated by Kyber and T generated by X25519 (but not other way around). As X25519 is not FIPS-approved, the lab won't be able to test it, hence you can't declare any security on that scheme. This will be reflected in the security policy (as a "non-approved algorithm, with no security claimed"). In theory, X25519 may produce wrong results and your product still gets FIPS certificate as the algorithm is security irrelevant. It is similar situation as we have today, but with Z generated by P-256 and T by Kyber. What, I think, is more valuable for those who need FIPS, is to be able to have hybrid construction in which both algorithms are properly tested and certified by the FIPS lab. Also, in that case, Z can be generated by either PQ or non-PQ as both are FIPS-approved. Kind regards, Kris
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
