On Tuesday, 19 November 2024 15:27:03 CET, D. J. Bernstein wrote:
Alicja Kario writes:
Or:
Auditor sees that P + Q system is more complex to implement and validate
than a simple Q system, therefore ML-DSA security >
ML-DSA+Ed25519 security.
Therefore the deployment of CECPQ2b = ECC+SIKE should have been replaced
with just SIKE? What's next, advocating the null cipher on the basis of
how simple it is?
You are mixing up key exchange with authentication...
Yes, I do not like that we have codepoint assignments for pure ML-KEM.
But this thread is about ML-DSA in TLS.
See https://blog.cr.yp.to/20240102-hybrid.html for further analysis of
the anti-hybrid arguments from NSA and GCHQ. The TLS WG can and should
investigate the details and make its own decisions.
I _agree with you,_ that hybrids are preferable.
I still don't find those arguments convincing though.
Just like others already said on this list: some of us have customers
asking for pure algorithm options. We are not asking for IETF to recommend
pure algorithms. We are asking for codepoint assignemnts, so that
those that chose to use pure options can interoperate with each other.
Without showing clear and significant break of those algorithms, we are not
in a position to enforce value judgment on that behviour.
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
