Hybrids are mandatory for protocols like IKEv2 over UDP to handle fragmentation (traditional key exchange followed by a PQ KEM), see https://datatracker.ietf.org/doc/draft-kampanakis-ml-kem-ikev2/.
-Tiru On Sat, 16 Nov 2024 at 11:43, Watson Ladd <watsonbl...@gmail.com> wrote: > > > On Fri, Nov 15, 2024, 8:52 PM Andrey Jivsov <cry...@brainhub.org> wrote: > >> On Fri, Nov 15, 2024 at 3:56 PM Watson Ladd <watsonbl...@gmail.com> >> wrote: >> >>> ... >>> Why not hash based signatures? >>> >> >> I think that the stateful ones are perfectly suited for certifications >> in X.509 certs, but in the TLS handshake this has to be Sphincs+, at 16.2KB >> per signature at the AES-192 security level. In addition to size concerns, >> it's not allowed in CNSA 2.0. Are vendors considering SPHINCS+ for this >> purpose? >> > > If CNSA 2.0 is the guide why consider hybrids? > >> _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org