On Thu, Jan 11, 2024 at 01:58:07PM -0600, Orie Steele wrote: > Hybrids by their very nature are the explosion. > > If there will only ever be X-Wing, I think it's fine to not make it generic > (since we admit that it is a special case, not an instance of a generic). > > However, if B-Wing (brainpool + kyber) and P-Wing (p curve + kyber) also > end up getting made, we never stopped the explosion, and we made it harder > to evaluate the security properties, and we delayed the rollout against > harvest and decrypt... for the cases where X-Wing could not fit. > > Yes, we will need proofs for all those other hybrids, sounds like that will > keep people busy for a while... It feels like promising false hope to say > that making X-Wing not generic will stop all that other work from > happening... If anything, making X-Wing generic will reduce the cost of > doing the work, that seems inevitable at this point. > > I do think it's important for this to not end up as "crabs in a bucket", > where each candidate holds the others back, and then they all get cooked > together. > > If arguing over generic's causes that, I suggest we not make generics a > requirement.
It is actually worse than that. It seems hard to make generic composition mechanism that explodes only in its components, not in protocols as well. That is, it probably will not be better than the mess that exists now. Even having low and high variants for each of x, p and b curves would only be 6 KEMs. There are more protocols than that interested in hybrid KEM stuff. Plus I am not aware of any protocol where consensus is that generic composition is a great idea, let's do that. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
