Reduce the number of ciphersuites

[hannestschofenig]

The group needs to decide what ciphersuites it wants to have listed in the draft. The idea is to only list those ciphersuites that are needed by developers rather than exhaustively listing all combinations.

Input appreciated!

[selfissued]

I agree that less is more. Selecting a subset of those chosen by MLS sounds like a good starting point.

[ilaril]

Unfortunately, there are problems with choosing subset from MLS cipher suites:

1. The MLS cipher suite selection is flawed.
2. MLS does not use compact curves: Compact curves have smaller representations, which is very attractive for constrained applications.

What I think is the absolute minimum:

1. CP256-SHA256-AES128GCM (1 byte range!)
2. CP384-SHA384-AES256GCM
3. X25519-SHA256-Chacha20Poly1305
4. X25519-SHA256-AES128GCM
5. X448-SHA512-Chacha20Poly1305
6. X448-SHA512-AES256GCM
7. X25519Kyber768-SHA256-Chacha20Poly1305
8. X25519Kyber768-SHA256-AES256GCM

... But I still think all the 18 should be supported.

Remember, this is not about what individual application needs to support (it can profile down to single cipher suite), it is about what any application can support.

And if non-base modes are to be supported, this obviously causes combinatorial blowup.

[hannestschofenig]

We have to remove Kyber from the list since it would block the publication of this document. So far I haven't heard anyone from the constrained IoT device community asking for the compact curves. They probably don't use HPKE in the first place.

PR with the reduced ciphersuite list created here: #48