> (3)-(5) are exactly the hard problems I’ve been thinking a lot about > lately. I’d actually be tempted to say that AuthKEM vs signatures is > something we should figure out ASAP. I read AuthKEM again this morning, > and it has a lot of attractive features, but I’m not quite sure what the > right answer is yet. >
I don't think we can settle the future of PQ authentication in TLS just yet — there are still many unknowns. To name a few: 1. What signature schemes are on the horizon? MAYO [1] from the NIST signatures on-ramp would be great, if it doesn't turn out to be broken. 2. How will the confidence in existing schemes develop? AuthKEM will look different depending on whether it can use Kyber-512 or Kyber-1024. Also, will it replace Dilithium5 or Dilithium2? 3. What other higher level changes is the ecosystem able to adopt? For instance Merkle Tree Certs [2]. These are all hard questions, and although I do not believe we can answer them now, we should be thinking about them right now. I think we should have different pots on the fire, so to say. Best, Bas [1] https://pqmayo.org/params-times/ [2] https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
