On Thu, Jan 11, 2024, at 07:13, Bas Westerbaan wrote:
> X-Wing aims for 128-bit security, and for that combines the time-tested
> X25519 with ML-KEM-768 [8]. X-Wing uses the combiner
>
> SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 )
At least for TLS, I'm not convinced that any combiner is necessary, in line
with the analysis done for draft-ietf-tls-hybrid-design.
TLS hashes the entire transcript. Would you poke holes in it to make the
savings real? That seems inadvisable, not only because it would be a pain to
implement. The existing draft-tls-westerbaan-xyber768d00 seems adequate in
that regard.
I'm of the view that draft-westerbaan-cfrg-hpke-xyber768d00 is also fine for
HPKE (modulo an update to the latest ML-KEM). If the analysis shows that you
can avoid the ML-KEM ciphertext, then I'm not opposed to cost savings for HPKE.
In other words, though I can see the value in modularity of analysis that
something like this brings, if that modularity comes at the cost of efficiency
or complexity in real applications, I don't see the point.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
