Re: [TLS] X-Wing: the go-to PQ/T hybrid KEM?

2024-01-11 Thread Watson Ladd
On Wed, Jan 10, 2024 at 12:14 PM Bas Westerbaan wrote: > > Dear tls and cfrg working groups, > > With ML-KEM (née Kyber) expected to be finalized this year, it’s time to > revisit the question of which PQ/T hybrid KEMs to standardize, and which to > recommend. My preference would be that we use

Re: [TLS] X-Wing: the go-to PQ/T hybrid KEM?

2024-01-11 Thread Martin Thomson
On Thu, Jan 11, 2024, at 07:13, Bas Westerbaan wrote: > X-Wing aims for 128-bit security, and for that combines the time-tested > X25519 with ML-KEM-768 [8]. X-Wing uses the combiner > > SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 ) At least for TLS, I'm not con

Re: [TLS] X-Wing: the go-to PQ/T hybrid KEM?

2024-01-11 Thread Filippo Valsorda
This is excellent, especially the explicit decision to make concrete primitive choices, which allow the scheme to be both secure and efficient. I have an implementation at filippo.io/mlkem768/xwing which passes the test vectors in draft-connolly-cf

[TLS] X-Wing: the go-to PQ/T hybrid KEM?

2024-01-10 Thread Bas Westerbaan
Dear tls and cfrg working groups, With ML-KEM (née Kyber) expected to be finalized this year, it’s time to revisit the question of which PQ/T hybrid KEMs to standardize, and which to recommend. # Status quo For TLS at the time of writing there are two PQ/T hybrids registered: X25519Kyber768 [1]