-- V/R, Uri There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare >nnerEndI very much appreciate having a concrete hybrid scheme that is >intentionally not generic. Totally agree. > This avoids the explosion of ciphertext suites that would otherwise occur, > and allows for better compatibility of libraries. > Fixing the key sizes to ML-KEM 768 and X25519 is aligned with our preferred > choices as well, and further increases interoperability. Yes. Except that I want also an option with ML-KEM 1024. On Thu, Jan 11, 2024 at 9:31 AM Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> wrote: I'm going to echo Bas to highlight that X-Wing is not generic to any IND-CCA KEM, it is a particular primitive construction based on the internal construction of ML-KEM in particular: I don’t think it’s our place to try to shoe-horn everything into one construct. Particularly when we are in the experimentation phase of things. If people want to have ML-KEM as a material in their composites, it sounds like they might want to learn from X-Wing, but not try to chop them to fit into that one keyhole, as it were. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschm...@google.com
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls