2020.07.30 07:09:21 (1288703206214664192) from Daniel J. Bernstein, replying to "Nadim Kobeissi (@nadim@symbolic.software) (@kaepora)" = "Nadim Kobeissi (@kaepora)" (1288697572308262913):
NIST's report https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf says, for totally unclear reasons, that 20,000 extra bytes is "unacceptable" in TLS key exchange. I ask for a rationale: https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/7aenKgDWV2k/RqlEHB2yDQAJ. NIST replies that other options are more efficient. This doesn't answer the question at all.