> > I think there is a companion point to be made. I suggest: > > Implementations must use a ciphersuite that includes a symmetric > encryption algorithm with sufficiently large keys. For protection > against the future invention of a CRQC, the symmetric key needs to be > at least 256 bits. >
Not true.128 bit symmetric keys are fine for PQ. Right, I think that means that ECH as-is can be used, but in the face > of a CRQC, ECH as-is won't protect against the leakage about which > John was concerned. Not true. ECH, as-is, can be configured to use a PQ KEM. (Whether it's deployable, and whether its performance is acceptable, is something we should figure out.) Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
