> > On 8 Nov 2023, at 8:34, Loganaden Velvindron <logana...@gmail.com> wrote: > > > > I support moving forward with hybrids as a proactively safe deployment > > option. I think that supporting > > only Kyber for KEX is not enough. It would make sense to have more options. > > > > Google uses NTRU HRSS internally: > > https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms > > > > If Google decides to use this externally, how easy would it be to get > > a codepoint for TLS ? > As easy as writing it up in a stable document (may or may not be an Internet-draft) and asking IANA for a code point assignment. > > It can be done in days, if needed. > > Yoav
Just to clarify a few things about our internal usage of NTRU-HRSS: This is for historic reasons. Our stated intention is to move to Kyber once NIST releases the standard, see e.g. my talk at PQCrypto [1], where I go into some detail on this topic. Long story short, we had to choose a candidate well before even NIST's round 3 announcement, and haven't changed since changing a ciphersuite, while relatively straightforward is not free, so we would like to avoid doing it twice in a year. The only security consideration that went into the decision for NTRU was that we wanted to use a structured lattice scheme, with NTRU being chosen for non-security related criteria that have since materially changed. I do not think it makes a lot of sense to have multiple schemes based on structured lattices in TLS, and Kyber is in my opinion the superior algorithm. [1] https://www.youtube.com/watch?v=8PYYM3G7_GY --
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
