Hybrids are mandatory for protocols like IKEv2 over UDP to handle
fragmentation (traditional key exchange followed by a PQ KEM), see
https://datatracker.ietf.org/doc/draft-kampanakis-ml-kem-ikev2/.

-Tiru

On Sat, 16 Nov 2024 at 11:43, Watson Ladd <watsonbl...@gmail.com> wrote:

>
>
> On Fri, Nov 15, 2024, 8:52 PM Andrey Jivsov <cry...@brainhub.org> wrote:
>
>> On Fri, Nov 15, 2024 at 3:56 PM Watson Ladd <watsonbl...@gmail.com>
>> wrote:
>>
>>> ...
>>> Why not hash based signatures?
>>>
>>
>>  I think that the stateful ones are perfectly suited for certifications
>> in X.509 certs, but in the TLS handshake this has to be Sphincs+, at 16.2KB
>> per signature at the AES-192 security level. In addition to size concerns,
>> it's not allowed in CNSA 2.0. Are vendors considering SPHINCS+ for this
>> purpose?
>>
>
> If CNSA 2.0 is the guide why consider hybrids?
>
>> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-le...@ietf.org
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to