* >> 65536-bit RSA is "more secure" than 2048-bit RSA, is that a compelling >> argument to never use 2048-bit RSA, and always use 65536-bit RSA?
* This is comparing small apples and big apples whereas the comparison under discussion is "apples concatenated with oranges" vs. "oranges only". Why did we standardize ECC signatures over moving from 2K RSA to 4K RSA? Why did we standardize ECDH key exchange over classic DH? Almost all the arguments pretty much came down to efficiency of size, computation, etc. Are you so confident of all global deployments of TLS that you can assert that pure MLKEM is never worth the efficiency gain? And who would you believe if they told you otherwise?
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
