Given that it will be some years before we have verified modules with ML-KEM, it seems like P-256 + ML-KEM (as an evolution of P-256 + Kyber) will have utility for some time, for those who care about validation.
--Richard On Mon, Jun 3, 2024 at 4:32 PM Bas Westerbaan <bas= 40cloudflare....@dmarc.ietf.org> wrote: > X25519+ML-KEM will be acceptable for FIPS, just like P-256+Kyber is today. > We just need to wait for the final standard, and (crucially) for the > verified modules with ML-KEM. > > On Mon, Jun 3, 2024 at 8:56 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > >> >> I'm afraid I have no measurements to offer, but... >> >> On 03/06/2024 19:05, Eric Rescorla wrote: >> > The question is rather what the minimum set of algorithms we need is. My >> > point is that that has to include P-256. It may well be the case that >> > it needs to also include X25519. >> >> Yep, the entirely obvious answer here is we'll end up defining at least >> x25519+PQ and p256+PQ. Arguing for one but not the other (in the TLS >> WG) seems pretty pointless to me. (That said, the measurements offered >> are as always interesting, so the discussion is less pointless than >> the argument:-) >> >> Cheers, >> S. >> _______________________________________________ >> TLS mailing list -- tls@ietf.org >> To unsubscribe send an email to tls-le...@ietf.org >> > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
