On Wed, Apr 16, 2025 at 02:15:03AM +0000, Salz, Rich wrote: > > If "move to PQ" meant no hybrid stuff for TLS, I'd really wonder why. > > That’s easy to answer: “many of our members have very > hardware-constrained PoS devices.” Is that okay?
It might be possible to design the key exchange such that the hardware need not hold both PQ and ECC keys in memory at once, just one one set + one KDF output at most. That would not be unreasonable. For example, a current TPM might not have enough memory for PQ, but if it did then it would almost certainly have enough memory for holding a KDF output in addition. And if a current TPM did not have enough memory for PQ (and I assume current TPMs don't) then you'd need a new TPM and we could ensure that they do have enough memory for holding a KDF output. Nico -- _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
