Hi, I think HQC is a good backup algorithm to ML-KEM for ephemeral key exchange. I would like to see HQC supported in TLS, but I would not use it unless something is wrong with ML-KEM (theoretical or implementation). If used in TLS key exchange, both the sizes of the encapsulation keys and the ciphertexts matter. HQC is also slower than ML-KEM, but ML-KEM is blazingly fast, even faster than X25519. See e.g., slide 9 of this presentation for an overview. https://csrc.nist.gov/csrc/media/Presentations/2025/ml-kem-is-great/images-media/ml-kem-is-great.pdf
Due to the large public keys, I do not think Classic McEliece is very suitable for ephemeral key exchange in TLS. Classic McEliece is excellent for static encapsulation keys. If would be a good fit for ECH (or for authentication in a theoretical KEM-TLS). Cheers, John From: Andrew Scott <and...@aes.id.au> Date: Tuesday, 18 March 2025 at 12:02 To: tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: WG Adoption Call for Post-Quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3 You don't often get email from and...@aes.id.au. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Some relevant additional detail from NIST's paper selecting HQC.. On Thursday, 13 March 2025 10:01 UTC, Alicja Kario wrote: > NIST has selected HQC for standardisation this week... No idea about > its patent situation, or if we want something with ciphertexts this big in > TLS... (reminder: 4.4 kiB, 8.8 kiB, and 14.1 kiB for 128, 192 and 256 > bit level of security respectively) As well as HQC's selection, NIST also called out in their report as a possible future NIST standard once ISO/IEC is finished with it: See https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf > In the event that Classic McEliece does become widely > used through other standards, and that NIST remains confident in its security > while also > determining that there is sufficient need, NIST may develop a NIST standard > based on the > widely used version. It has better ciphertext sizes, but much much worse encapsulation/decapsulation key sizes. Andrew Scott https://aes.id.au/
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
