> This is misleading. There are many implementations of Kyber that require > much less memory. See eg [1] from 2019 where Kyber-512 only requires 2736 > bytes.
Thank you. Somehow I missed this, although the use of a reference implementation seemed suspicious. > By the way, for key agreement, between keygen and decapsulation, a client > only needs to keep around the private key seed (64 bytes). This actually emphasizes the point. For any ML-KEM capable device, we are still talking about a minimum RAM of at least two KB (ignoring significant future optimizations). Moreover, much of that memory is unused outside of ML-KEM operations. Then: 1. The unused memory should suffice to perform X25519, and therefore 2. Limited RAM is quite unlikely to be the bottleneck when choosing between ML-KEM and a hybrid. -- TBB
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
