Addition of Brainpool curves to KEM procedures

[RodriM11]

Hi! I wanted to propose (specially since they are already present, up to some point, in the repository) the use of Brainpool curves (BrainpoolP256r1, BrainpoolP384r1 and BrainpoolP512r1) as a third option for hybrid KEM procedures, along with NIST P curves and X25519/X448.

They provide an additional source of hybrid configurations, and the interest in Brainpool curves is not new, as they are already being used in other scenarios (e.g. TLS support).

I wouldn't mind contributing to include them as another hybrid KEM configuration. The only "problem" I see is the Code Point policy to follow if this additional hybrid groups were to be added.

[baentsch]

Thanks for the proposal @RodriM11! Do you see anyone interested in actually using this configuration? I'm a bit wary adding stuff just because its possible :) And indeed, code points would have to be properly (manually) managed given there is no draft spec (right?). The latter then also is the reason for having to document the "concatenation order" (which do you suggest?). Finally, which KEMs do you suggest augmenting this way?

[RodriM11]

Thanks for you answer @baentsch ! It is my understanding that the interest for these curves has increased in recent years, motivated in part by agencies recommendations (e.g BSI), and to address some security concerns of NIST's P curves. For example, support for them on TLSv1.3 was added on OpenSSL 3.2.0 release.

Regarding their inclusion, on a technical note, I would follow the already established order depending on whether the PQ algorithm is FIPS approved or not (i.e., they would follow the same construction as X25519/X448).
On a practical note, I completely understand the reticence of adding configurations "for the sake of it", but I think these curves will make an useful addition, and will be employed. Maybe they could be included on ML-KEM as a starting point (in the same fashion done in the signature procedure) and add them to other configurations if there is a desire for them to be used.

[RodriM11]

Just a quick question before I dive into coding this: what would be an acceptable "starting point" for hybrid Brainpool KEM IDs? For coherence with established IDs (starting ID 0x2F00 for p-Hybrid, 0x2F80 for X-hybrid), I thought of 0x2FF0, but that might be too close to the kem_nid_hybrid_end (although it won't be reached yet, as I will only introduce Brainpool as hybrid procedure with ML-KEM, as discussed) .

[baentsch]

Please take a look at #561: All code points arguably need a review and many a re-do... The addition of a whole new bunch may be the opportunity to do it all and this time in line with IANA. Would you be willing to take this on @RodriM11 as part of this issue too? At the very least, please put the new Brainpool code points that you suggest (assuming they don't have assigned code points, right?) into the reserved space so we don't run into the same problem as with ML-KEM again...

[RodriM11]

Sure @baentsch, I will take a look at #561 too. I have a couple questions with that one , but I will ask them on that issue. I will get on with both as soon as we close #599 , so I can close and use some changes made there.