CNSA 1.0 requires P-384 or RSA-3072, and does not allow P-256. CNSA 2.0 requires ML-KEM, and does not approve any of the ECC curves. But there’s a “transition period”, during which P-384 could presumably be used. -- V/R, Uri
From: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco....@dmarc.ietf.org> Date: Wednesday, June 5, 2024 at 09:54 To: John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org>, tls@ietf.org <tls@ietf.org> Subject: [EXT] [TLS]Re: [EXTERNAL] Re: Curve-popularity data? If we’re talking about CNSA, well CNSA 2. 0 insists on ML-KEM-1024 (and would prefer that alone) – I had been assuming that could be better handled by the ML-KEM-only draft… From: John Mattsson <john. mattsson=40ericsson. com@ dmarc. ietf. org> ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside the Laboratory. ZjQcmQRYFpfptBannerEnd If we’re talking about CNSA, well CNSA 2.0 insists on ML-KEM-1024 (and would prefer that alone) – I had been assuming that could be better handled by the ML-KEM-only draft… From: John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> Sent: Wednesday, June 5, 2024 1:56 AM To: tls@ietf.org Subject: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? Andrei Popov wrote: >CNSA requires P384, so we’ll also need a hybrid that includes this EC. Yes, I am not sure about the statement that P-256 is required. The requirement for FIPS in the next few years should be one of the NIST P-curves. I think P-384 is the most required of the NIST P-curves. Scott Fluhrer wrote: >I believe that it is unreasonable to expect that a single combination would >satisfy everyone’s needs. Yes, that is completely unreasonable. TLS is MUCH larger than the Web. There will clearly be registrations for combinations of most current curves (P-curves, X-curves, Brainpool, SM, GOST) with most PQC KEMs (ML-KEM, BIKE/HQC, Classic McEliece, FrodoKEM, future Isogeny? (Isogenies was the hottest topic at Eurocrypt this year) ). European countries say that hybrids will be a must for a long-time. Cheers, John From: Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org <mailto:Andrei.Popov=40microsoft....@dmarc.ietf.org>> Date: Wednesday, 5 June 2024 at 07:24 To: Eric Rescorla <e...@rtfm.com <mailto:e...@rtfm.com>>, Stephen Farrell <stephen.farr...@cs.tcd.ie <mailto:stephen.farr...@cs.tcd.ie>> Cc: tls@ietf.org <mailto:tls@ietf.org> <tls@ietf.org <mailto:tls@ietf.org>> Subject: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? CNSA <https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF> requires P384, so we’ll also need a hybrid that includes this EC. Cheers, Andrei From: Eric Rescorla <e...@rtfm.com <mailto:e...@rtfm.com>> Sent: Monday, June 3, 2024 12:53 PM To: Stephen Farrell <stephen.farr...@cs.tcd.ie <mailto:stephen.farr...@cs.tcd.ie>> Cc: Loganaden Velvindron <logana...@gmail.com <mailto:logana...@gmail.com>>; Andrei Popov <andrei.po...@microsoft.com <mailto:andrei.po...@microsoft.com>>; Salz, Rich <rs...@akamai.com <mailto:rs...@akamai.com>>; tls@ietf.org <mailto:tls@ietf.org> Subject: Re: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? On Mon, Jun 3, 2024 at 11:55 AM Stephen Farrell <stephen.farr...@cs.tcd.ie <_blank>> wrote: I'm afraid I have no measurements to offer, but... On 03/06/2024 19:05, Eric Rescorla wrote: > The question is rather what the minimum set of algorithms we need is. My > point is that that has to include P-256. It may well be the case that > it needs to also include X25519. Yep, the entirely obvious answer here is we'll end up defining at least x25519+PQ and p256+PQ. Arguing for one but not the other (in the TLS WG) seems pretty pointless to me. (That said, the measurements offered are as always interesting, so the discussion is less pointless than the argument:-) Yes, this seems correct to me. -Ekr Cheers, S.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
