On Fri, Oct 10, 2025 at 08:16:09AM +0100, Kris Kwiatkowski wrote:
> > I was just drafting a message to suggest that the draf is missing an
> > obvious combination:
> >
> > MLKEM1024 + X448
> >
> > If MLKEM1024 is supported with SecP384r1 (P-384), it should also be
> > supported with X448. The supported combinations would then be more
> > "natural":
> >
> > MLKEM768 + either P-256 or X25519
> > MLKEM1024 + either P-384 or X448
> It was suggested in the past (both at the mailing list and at github), but
> the decision was made not to include this option since the use case for that
> combination was unclear. At the same time, keeping the number of algorithms
> to a minimum was considered beneficial.
>
> What would be the use case for that code point?
Well, if/when I need something stronger than MLKEM768 and choose to
reach for MLKEM1024, I'd frankly rather use it with X448 than with
P-384. Otherwise, if minimising code proints and if MLKEM1024 is not
compelling, just include MLKEM768.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
