Hybrids are mandatory for protocols like IKEv2 over UDP to handle fragmentation (traditional key exchange followed by a PQ KEM), see https://datatracker.ietf.org/doc/draft-kampanakis-ml-kem-ikev2/.
-Tiru On Sat, 16 Nov 2024 at 11:43, Watson Ladd <[email protected]> wrote: > > > On Fri, Nov 15, 2024, 8:52 PM Andrey Jivsov <[email protected]> wrote: > >> On Fri, Nov 15, 2024 at 3:56 PM Watson Ladd <[email protected]> >> wrote: >> >>> ... >>> Why not hash based signatures? >>> >> >> I think that the stateful ones are perfectly suited for certifications >> in X.509 certs, but in the TLS handshake this has to be Sphincs+, at 16.2KB >> per signature at the AES-192 security level. In addition to size concerns, >> it's not allowed in CNSA 2.0. Are vendors considering SPHINCS+ for this >> purpose? >> > > If CNSA 2.0 is the guide why consider hybrids? > >> _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
