> I would also like secp384r1_kyber1024 option, please. Why do you up the ECDH curve sec level with Kyber1024? It adds unnecessary size to the keyshare. like secp384r1_kyber768 combines two equivalent security levels. Those that want to be extra conservative can go secp521r1_kyber1024 which won’t be much worse than secp384r1_kyber1024 in performance or size.
From: TLS <tls-boun...@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL Sent: Tuesday, March 28, 2023 10:40 PM To: Krzysztof Kwiatkowski <k...@amongbytes.com>; Christopher Wood <c...@heapingbits.net> Cc: TLS@ietf.org Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Can we add secp256r1_kyber768 option for those who prefer NIST curves? I support this. I would also like secp384r1_kyber1024 option, please. Thanks
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls