If we’re talking about CNSA, well CNSA 2.0 insists on ML-KEM-1024 (and would prefer that alone) – I had been assuming that could be better handled by the ML-KEM-only draft…
From: John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> Sent: Wednesday, June 5, 2024 1:56 AM To: tls@ietf.org Subject: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? Andrei Popov wrote: >CNSA requires P384, so we’ll also need a hybrid that includes this EC. Yes, I am not sure about the statement that P-256 is required. The requirement for FIPS in the next few years should be one of the NIST P-curves. I think P-384 is the most required of the NIST P-curves. Scott Fluhrer wrote: >I believe that it is unreasonable to expect that a single combination would >satisfy everyone’s needs. Yes, that is completely unreasonable. TLS is MUCH larger than the Web. There will clearly be registrations for combinations of most current curves (P-curves, X-curves, Brainpool, SM, GOST) with most PQC KEMs (ML-KEM, BIKE/HQC, Classic McEliece, FrodoKEM, future Isogeny? (Isogenies was the hottest topic at Eurocrypt this year) ). European countries say that hybrids will be a must for a long-time. Cheers, John From: Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org<mailto:Andrei.Popov=40microsoft....@dmarc.ietf.org>> Date: Wednesday, 5 June 2024 at 07:24 To: Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>>, Stephen Farrell <stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>> Cc: tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>> Subject: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? CNSA<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF> requires P384, so we’ll also need a hybrid that includes this EC. Cheers, Andrei From: Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>> Sent: Monday, June 3, 2024 12:53 PM To: Stephen Farrell <stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>> Cc: Loganaden Velvindron <logana...@gmail.com<mailto:logana...@gmail.com>>; Andrei Popov <andrei.po...@microsoft.com<mailto:andrei.po...@microsoft.com>>; Salz, Rich <rs...@akamai.com<mailto:rs...@akamai.com>>; tls@ietf.org<mailto:tls@ietf.org> Subject: Re: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? On Mon, Jun 3, 2024 at 11:55 AM Stephen Farrell <stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>> wrote: I'm afraid I have no measurements to offer, but... On 03/06/2024 19:05, Eric Rescorla wrote: > The question is rather what the minimum set of algorithms we need is. My > point is that that has to include P-256. It may well be the case that > it needs to also include X25519. Yep, the entirely obvious answer here is we'll end up defining at least x25519+PQ and p256+PQ. Arguing for one but not the other (in the TLS WG) seems pretty pointless to me. (That said, the measurements offered are as always interesting, so the discussion is less pointless than the argument:-) Yes, this seems correct to me. -Ekr Cheers, S.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
