X25519+ML-KEM will be acceptable for FIPS, just like P-256+Kyber is today. We just need to wait for the final standard, and (crucially) for the verified modules with ML-KEM.
On Mon, Jun 3, 2024 at 8:56 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > I'm afraid I have no measurements to offer, but... > > On 03/06/2024 19:05, Eric Rescorla wrote: > > The question is rather what the minimum set of algorithms we need is. My > > point is that that has to include P-256. It may well be the case that > > it needs to also include X25519. > > Yep, the entirely obvious answer here is we'll end up defining at least > x25519+PQ and p256+PQ. Arguing for one but not the other (in the TLS > WG) seems pretty pointless to me. (That said, the measurements offered > are as always interesting, so the discussion is less pointless than > the argument:-) > > Cheers, > S. > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
