durumcrustulum's comments

durumcrustulum · 2025-11-28T03:48:34 1764301714

ML-KEM is a key establishment scheme, not a signature scheme.

westurner · 2025-11-28T07:41:44 1764315704

From Gemini then:

  Algorithm         Role
    Public Key Size   Signature / Ciphertext Size
  ECDSA P-256 (Identity / Signing)
    ~64 bytes      ~64 bytes
  X25519 (Key Exchange)
    32 bytes        32 bytes
  ML-DSA-44 (PQ; Identity / Signing)
    1,312 bytes     2,420 bytes
  ML-KEM-768 (PQ; Key Exchange)
    1,184 bytes     1,088 bytes

> If you tried to make "ML-KEM Certificates" (using a newer mechanism called AuthKEM where you authenticate by proving you can decrypt a challenge rather than signing), you would replace the ~2.4 KB ML-DSA signature with a ~1 KB ML-KEM ciphertext. This saves about 50% of the bandwidth compared to ML-DSA, but it is still roughly 35x larger than a traditional ECC certificate chain.

/? AuthKEM:

kemtls/draft-celi-wiggers-tls-authkem: https://github.com/kemtls/draft-celi-wiggers-tls-authkem

"KEM-based Authentication for TLS 1.3" https://kemtls.org/draft-celi-wiggers-tls-authkem/draft-celi... :

> Table 1. Size comparison of public-key cryptography in TLS 1.3 and AuthKEM handshakes.

  Handshake HS auth algorithm HS Auth bytes Certificate chain bytes Sum
  ...
  AuthKEM Kyber-768 2272 6152 (Dilithium-2) 8424
  AuthKEM Kyber-768 2272 2229 (Falcon-512) 4564

"KEM-based pre-shared-key handshakes for TLS 1.3" > "2.2. Key Encapsulation Mechanisms", "3. Abbreviated AuthKEM with pre-shared public KEM keys": https://kemtls.org/draft-celi-wiggers-tls-authkem/draft-wigg...

westurner · 2025-11-28T07:54:25 1764316465

Is this the thing with ML-KEM, then:

> [With AuthKEM,] you would replace the ~2.4 KB ML-DSA signature with a ~1 KB ML-KEM ciphertext.

durumcrustulum · 2025-11-28T13:03:32 1764335012

What "the thing"? AuthKEM isn't being deployed anywhere.

westurner · 2025-11-28T18:08:27 1764353307

How much more complex is the difference than 2.4 KB w/ ML-DSA or ~1 KB w/ ML-KEM?

durumcrustulum · 2025-12-02T00:34:16 1764635656

I'm sorry I don't understand what you're asking

westurner · 2025-12-03T04:27:01 1764736021

Though there is a difference between a cert signature (ML-DSA) and a challenge (ML-KEM), ultimately and fundamentally, isn't real key size still a relevant metric for comparison.

(Everyone dnvoted this like -6/-7. I guess they didn't understand the relevance.)

IDK a terse analogy then:

MerkleCerts + ML-DSA : ML-DSA :: Challenge (ML-KEM,) : ____ (ML-DSA)

Merkle-signing cert trust roots is a security/bytes-transferred efficiency tradeoff.

What is the difference in number of bytes seemed usefully relevant to me at least.

durumcrustulum · on Dec 11, 2022

> the god-damned plane has crashed into the mountain

I've got information, man— new shit has come to light

durumcrustulum · on April 19, 2017

This was given at an academic crypto conference, it would be considered gentle-ish for that audience, not hacker news.