Using ephemeral-static ECDH for implit authentication as in the Noise protocol has several benefits. The benefits of using KEMs instead of signatures seem more limited. The current proposal requires 3 full round-trips instead of 1.5 round-trips for mutual authentication. If I understand correctly, the messages sizes are smaller than Kyber+Dilithium but similar to Kyber+Falcon (probably a bit larger in total).
If continued, I think Kyber KEMs makes a lot more sense than ECDH KEM. For ECDH KEM you can do something much more efficient. Two comments on the document - “these proposals require a non-interactive key exchange” My understandaing of NIKE is that the parties do not have any interaction. One example of NIKE is static-static DH. OPTLS uses ephemeral-static DH. I don't think it is correct to describe that as NIKE. https://eprint.iacr.org/2012/732.pdf - The document could mentioned that to derive the application_traffic_secret, an attacker needs more than a single private key. Having a single ephemeral private key is no longer enough as it is the case in ordinary certificate based TLS 1.3. Cheers, John From: TLS <tls-boun...@ietf.org> on behalf of Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> Date: Tuesday, 24 January 2023 at 19:15 To: Mike Ounsworth <Mike.Ounsworth=40entrust....@dmarc.ietf.org>, p...@ietf.org <p...@ietf.org>, tls@ietf.org <tls@ietf.org> Subject: Re: [TLS] Did TLS AuthKEM die? I truly hope AuthKEM is alive. -- V/R, Uri There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare From: TLS <tls-boun...@ietf.org> on behalf of Mike Ounsworth <Mike.Ounsworth=40entrust....@dmarc.ietf.org> Date: Tuesday, January 24, 2023 at 12:33 To: "p...@ietf.org" <p...@ietf.org>, "tls@ietf.org" <tls@ietf.org> Subject: [TLS] Did TLS AuthKEM die? Thom, Sofía, draft-celi-wiggers-tls-authkem is expired. Is that on purpose? Does it still have steam or is it dead? --- Mike Ounsworth Software Security Architect, Entrust Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
