> I think that if we pursue an alternative structured lattice KEM, it should > bring at least another advantage to the table. From a performance > perspective BAT ( https://eprint.iacr.org/2022/031 ) improves > considerably over ML-KEM in certain use cases: its ciphertexts and public > keys are smaller, but its keygen is slower. That's a good trade-off for > non-ephemeral use cases such as ECH, AuthKEM, and OHTTP. >
To clarify: I'm not commenting about whether BAT is sufficiently different from ML-KEM from a security perspective. I'm giving it as an example for its performance characteristics. Bas
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
