Tim Hollebeek writes: [ regarding "composite and hybrid" ] > To be clear, the draft says absolutely nothing about either of those > two topics
To be clear, that's not a good thing. The draft is deviating from the normal, amply justified security practices regarding PQ deployment. The resulting security risks are on topic. > ML-DSA support for TLS is obvious and straightforward. Concatenated ECC+Dilithium support for TLS is obvious, straightforward, and less risky than the draft at hand. The counterarguments don't hold up to examination; see https://blog.cr.yp.to/20240102-hybrid.html. For dilithium2, keys are 1312 bytes and signatures are 2420 bytes. A typical ECC signature system adds 32 bytes and 64 bytes respectively. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
