On Tue, Jul 26, 2022, at 11:21, Stephen Farrell wrote: > Be interested in how that'd change the CH if ECH is used too. > I guess the answer mightn't make us happy;-)
PQ HPKE would not fit, but the Kyber-512 numbers mean that we should be OK for ECH if we stuck with classical security. For obvious reasons, that might not be OK though. If we wanted a PQ HPKE (or a Hybrid KEM) then ECH would blow out the size so that we would end up with multiple packets for the CH. That would be basically unworkable from a performance perspective. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls