Shameless plug, but have you looked at constructions like Disco (https://eprint.iacr.org/2019/180) that target specifically this issue?
David On Tue, Feb 26, 2019 at 10:04 PM Hanno Böck <[email protected]> wrote: > > I think I have raised my concerns before, but I have serious doubts > there's real need for such ciphersuites. > > The reasoning seems to be that performance constrained devices are > unable to do "normal" TLS. I don't have benchmarks, but it's my > experience that people vastly overestimate the costs of symmetric > encryption operations (by far the largest computational cost of TLS is > the asymmetric handshake). I wonder if the people who believe they need > an authentication only ciphersuite ever ran tests. > > I also see a non-neglegible risk in standardizing such ciphersuites. > Some implementations will end up adding them and coupled with > implementation flaws we may end up in a situation where inadvertently > insecure ciphersuites are chosen. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: [email protected] > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
