> and (crucially) for the verified modules with ML-KEM. True, but the NIST queue is over 2+ years right now. Check out the Modules In Process which go back to 2022 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list So, if we only got X25519+ML-KEM we would not be able to use PQ-hybrid in endpoints that require compliance for >=2.5 years
From: Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org> Sent: Monday, June 3, 2024 4:31 PM To: Stephen Farrell <stephen.farr...@cs.tcd.ie> Cc: Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org>; Salz, Rich <rsalz=40akamai....@dmarc.ietf.org>; tls@ietf.org Subject: [TLS]Re: [EXTERNAL] Re: Curve-popularity data? X25519+ML-KEM will be acceptable for FIPS, just like P-256+Kyber is today. We just need to wait for the final standard, and (crucially) for the verified modules with ML-KEM. On Mon, Jun 3, 2024 at 8:56 PM Stephen Farrell <stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>> wrote: I'm afraid I have no measurements to offer, but... On 03/06/2024 19:05, Eric Rescorla wrote: > The question is rather what the minimum set of algorithms we need is. My > point is that that has to include P-256. It may well be the case that > it needs to also include X25519. Yep, the entirely obvious answer here is we'll end up defining at least x25519+PQ and p256+PQ. Arguing for one but not the other (in the TLS WG) seems pretty pointless to me. (That said, the measurements offered are as always interesting, so the discussion is less pointless than the argument:-) Cheers, S. _______________________________________________ TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org> To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
