On Wednesday, 5 June 2024 07:56:21 CEST, John Mattsson wrote:
Andrei Popov wrote:
CNSA requires P384, so we’ll also need a hybrid that includes this EC.
Yes, I am not sure about the statement that P-256 is required. The requirement for FIPS in the next few years should be one of the NIST P-curves. I think P-384 is the most required of the NIST P-curves.

P-256 is the fastest of the NIST curves and fine for everyday use.
(both because it's one of the smaller ones but also because it has one
of the most optimised implementations around.

P-384 is the only curve allowed for CNSA 1.0, so it will be needed for the
transition period.

we need both
Scott Fluhrer wrote:
I believe that it is unreasonable to expect that a single combination would satisfy everyone’s needs.

Yes, that is completely unreasonable. TLS is MUCH larger than the Web. There will clearly be registrations for combinations of most current curves (P-curves, X-curves, Brainpool, SM, GOST) with most PQC KEMs (ML-KEM, BIKE/HQC, Classic McEliece, FrodoKEM, future Isogeny? (Isogenies was the hottest topic at Eurocrypt this year) ). European countries say that hybrids will be a must for a long-time. Cheers,
John
From: Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org>
Date: Wednesday, 5 June 2024 at 07:24
To: Eric Rescorla <e...@rtfm.com>, Stephen Farrell <stephen.farr...@cs.tcd.ie>
Cc: tls@ietf.org <tls@ietf.org>
Subject: [TLS]Re: [EXTERNAL] Re: Curve-popularity data?

CNSA requires P384, so we’ll also need a hybrid that includes this EC.
Cheers, Andrei From: Eric Rescorla <e...@rtfm.com> Sent: Monday, June 3, 2024 12:53 PM
To: Stephen Farrell <stephen.farr...@cs.tcd.ie>
Cc: Loganaden Velvindron <logana...@gmail.com>; Andrei Popov <andrei.po...@microsoft.com>; Salz, Rich <rs...@akamai.com>; tls@ietf.org
Subject: Re: [TLS]Re: [EXTERNAL] Re: Curve-popularity data?
On Mon, Jun 3, 2024 at 11:55 AM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:

I'm afraid I have no measurements to offer, but...

On 03/06/2024 19:05, Eric Rescorla wrote:
The question is rather what the minimum set of algorithms we need is. My
  point is that that has to include P-256. It may well be the case that
it needs to also include X25519.

Yep, the entirely obvious answer here is we'll end up defining at least
x25519+PQ and p256+PQ. Arguing for one but not the other (in the TLS
WG) seems pretty pointless to me. (That said, the measurements offered
are as always interesting, so the discussion is less pointless than
the argument:-)
Yes, this seems correct to me. -Ekr
Cheers,
S.

--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to