My $.02.

* We should have a consistent ordering of [EC, PQ] in both the names and
the key schedule. I.e., the code should be consistent with the naming and
either the EC or the PQC ought to always come first.
* I don't have a strong opinion about which should go first.
* Can we please have a separator between them, as in MLKEM768_X25519?

-Ekr


On Thu, Oct 17, 2024 at 8:18 AM Jan Schaumann <jschauma=
40netmeister....@dmarc.ietf.org> wrote:

> Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org> wrote:
> > The number of people that actually implement these hybrid KEMs is much
> > smaller than the number of people that need to make a choice based on
> their
> > name. How do we explain that one is called MLKEM768X25519 and the other
> > SecP256r1MLKEM768?
>
> "In hybrid key exchanges, the name reflects the
> order."
>
> This strikes me as overall much less confusing all
> around than
>
> "One is called <first><second>, the other is called
> <second><first>, because we wanted to have both end in
> the same string."
>
> People choosing will do a substring match ("I want
> PQC, so... ok, here's one that contains 'MLKEM', let
> me enable that.").
>
> -Jan
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-le...@ietf.org
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to