On Wed, Apr 16, 2025 at 10:38 AM Bellebaum, Thomas < thomas.belleb...@aisec.fraunhofer.de> wrote:
> > This is misleading. There are many implementations of Kyber that > require > > much less memory. See eg [1] from 2019 where Kyber-512 only requires > 2736 > > bytes. > > Thank you. Somehow I missed this, although the use of a reference > implementation seemed suspicious. > > > By the way, for key agreement, between keygen and decapsulation, a > client > > only needs to keep around the private key seed (64 bytes). > > This actually emphasizes the point. > For any ML-KEM capable device, we are still talking about a minimum RAM of > at least two KB (ignoring significant future optimizations). Moreover, much > of that memory is unused outside of ML-KEM operations. > Then: > > 1. The unused memory should suffice to perform X25519, and therefore > 2. Limited RAM is quite unlikely to be the bottleneck when choosing > between ML-KEM and a hybrid. > Agreed. > > -- TBB >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
