On Sat, 16 Nov 2024 at 10:23, Andrey Jivsov <cry...@brainhub.org> wrote:
> On Fri, Nov 15, 2024 at 3:56 PM Watson Ladd <watsonbl...@gmail.com> wrote: > >> ... >> Why not hash based signatures? >> > > I think that the stateful ones are perfectly suited for certifications in > X.509 certs, but in the TLS handshake this has to be Sphincs+, at 16.2KB > per signature at the AES-192 security level. In addition to size concerns, > it's not allowed in CNSA 2.0. Are vendors considering SPHINCS+ for this > purpose? > Yes, we are considering SPHINCS+ for long-lived TLS sessions in telco deployments for interfaces where computational costs of signature generation and validation are minor compared to data transmission and processing demands of user data. The findings in Amazon <https://www.amazon.science/publications/the-impact-of-data-heavy-post-quantum-tls-1-3-on-the-time-to-last-byte-of-real-world-connections> paper <https://www.amazon.science/publications/the-impact-of-data-heavy-post-quantum-tls-1-3-on-the-time-to-last-byte-of-real-world-connections> shows that while PQ algorithms increase the TLS 1.3 handshake data size, their effect on connection performance is minimal for large data transfers, especially in low-loss networks. -Tiru > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
