Removing some of the eFRODOKEM suites?

[randombit]

@reneme

While working on #4403 I see we have quite a few eFRODOKEM suites, I'm not sure it makes sense to include all of them from OQS, since OQS seems like they are just implementing anything/everything. Could we deprecate some and consolidate this down to say

eFRODOKEM_{640,1344}_SHAKE
secp256r1+eFRODOKEM_640_SHAKE
secp521r1+eFRODOKEM_1344_SHAKE

Points here

1. AES vs SHAKE I don't really care. AES is much faster on systems with AES hardware, I just picked SHAKE since that (sigh) seems to be the fashion these days for PQ.
2. Picking {640,1344} vs {640,976} don't care, just trying to limit it to 2 vs 3 levels
3. For hybrid using NIST vs X-curves don't much care

[mouse07410]

Yes, please 1344 rather than 976, yes please NIST curves.

Re. AES vs. Shake - you're correct, Shake is the rage, but all the current hardware has some kind of AES acceleration, vs. nothing for Shake. Don't know the best path forward.

[reneme]

Re: excessive support of PQ/Hybrid curves: I agree, that zoo is just way too big and should be pruned. I feel, right now it's really just guesswork on what combination will be useful and/or recommended by relevant authorities. E.g. I wouldn't be surprised if BSI were to recommend brainpool+FrodoKEM for certain applications.

In that situation, I feel we should just deprecate all suites that don't stem from an IETF draft and instead invest in an easy-to-extend TLS suite API, so that applications can mix and match if and what they need to.