Because of this attacks:
https://blog.cr.yp.to/20151120-batchattacks.html
could please consider to obsoleting 128-bit ciphers in TLS 1.3.
For example AES-128 encryption has been removed from Suite B
https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
More discussions on AES-128
Timothy Jackson:
> I’ve noted that many (most?) TLS implementations choose their ECDHE curves
> seemingly without regard to the cipher suite strength. Thus, they'll select
> an AES256 cipher suite (e.g. TLS_ECDHE_ECDSA_WITH_AES256_SHA384), but then
> generate an ECDHE key on the P256 curve. This
Hanno Böck:
> On Thu, 3 Mar 2016 13:35:46 +
> "Dang, Quynh (Fed)" wrote:
>
>> Why don't we use an even more elegant RSA signature called "
>> full-domain hash RSA signature" ?
>
> Full Domain Hashing was originally developed by Rogaway and Bellare and
> then later dismissed because they foun