ounsworth
commented
3 months ago The other consideration here is aligning with OpenPGP, and particularly the combinations suggested by Quynh Dang in his OpenPGP slides.
Closed ounsworth closed 1 month ago
ounsworth
commented
3 months ago The other consideration here is aligning with OpenPGP, and particularly the combinations suggested by Quynh Dang in his OpenPGP slides.
ounsworth
commented
3 months ago More comment from Sophie:
For compliance, the most important considerations are on the classic side of the hybrid, with the only PQC compliance requirements going beyond the security analysis above being CNSA's wish for ML-KEM1024. But CNSA2 also prefers non-hybrid solutions, so I'm not sure whether we should hybridize with ML-KEM1024 at all. For ML-KEM512, there currently seems to be no compliance forcing its adoption over ML-KEM768, with only some performance considerations having slight preferences, but in my opinion the security considerations weigh heavier here, and we should find other ways to alleviate the performance issues.
danvangeest
commented
3 months ago You can remove any ML-KEM512/brainpool combinations: https://mailarchive.ietf.org/arch/msg/spasm/hgqa5pfwrg6-I5BTA4mjw3vMs1Y/
ANSSI/BSI are the brainpool proponents, however they only allow ML-KEM768/1024.
ounsworth
commented
1 month ago This has been merged.
https://mailarchive.ietf.org/arch/msg/spasm/khasPf3y0_-Lq_0NtJe92unUw6o/
Sophie suggests removing ML-KEM512 and possibly the ML-KEM1024 combinations.
Piotr proposes a full updated table with a reduced list.