Addition of Brainpool curves to KEM procedures #600
Comments
|
Thanks for the proposal @RodriM11! Do you see anyone interested in actually using this configuration? I'm a bit wary adding stuff just because its possible :) And indeed, code points would have to be properly (manually) managed given there is no draft spec (right?). The latter then also is the reason for having to document the "concatenation order" (which do you suggest?). Finally, which KEMs do you suggest augmenting this way? |
|
Thanks for you answer @baentsch ! It is my understanding that the interest for these curves has increased in recent years, motivated in part by agencies recommendations (e.g BSI), and to address some security concerns of NIST's P curves. For example, support for them on TLSv1.3 was added on OpenSSL 3.2.0 release. Regarding their inclusion, on a technical note, I would follow the already established order depending on whether the PQ algorithm is FIPS approved or not (i.e., they would follow the same construction as X25519/X448). |
Hi! I wanted to propose (specially since they are already present, up to some point, in the repository) the use of Brainpool curves (BrainpoolP256r1, BrainpoolP384r1 and BrainpoolP512r1) as a third option for hybrid KEM procedures, along with NIST P curves and X25519/X448.
They provide an additional source of hybrid configurations, and the interest in Brainpool curves is not new, as they are already being used in other scenarios (e.g. TLS support).
I wouldn't mind contributing to include them as another hybrid KEM configuration. The only "problem" I see is the
Code Pointpolicy to follow if this additional hybrid groups were to be added.The text was updated successfully, but these errors were encountered: