[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Mon, 20 Oct 2025 05:12:41 -0700 

What's the difference between an ephemeral key that's reused and a static
key?


-Ekr


On Mon, Oct 20, 2025 at 5:10 AM John Mattsson <john.mattsson=
[email protected]> wrote:

> SP 800-227 is already required by FIPS 203 for the use of ML-KEM in
> applications. Referencing SP 800-227 directly, rather than just indirectly
> through FIPS 203, is not a technical change.
>
>
>
> SP 800-227 disallows the use of an ephemeral key in more than one
> key-establishment execution. It permits the reuse of static keys, as well
> as the reuse of ephemeral keys across multiple key shares, provided that
> only one of those shares is used for key establishment.
>
> John
>
>
>
> *From: *Kris Kwiatkowski <[email protected]>
> *Date: *Monday, 20 October 2025 at 13:29
> *To: *[email protected] <[email protected]>
> *Subject: *[TLS] Re: Working Group Last Call for Post-quantum Hybrid
> ECDHE-MLKEM Key Agreement for TLSv1.3
>
> Just to be crystal clear - that would be a way to disallow a key reuse in
> TLS v1.3 when using MLKEM (as per RS6 in Section 1.3). Correct?
>
> On 20/10/2025 12:05, John Mattsson wrote:
>
> Hi,
>
> I am cornered with the current PR #53 suggesting that SP 800-227 “provides
> general guidance”. This is not a correct description.
>
>
>
> As stated in FIPS 203, SP 800-227 provides requirements for the use of
> ML-KEM in applications. TLS 1.3 is such an application.
>
> Unless the working group wants to discuss each requirement in detail, I
> would suggest just adding:
>
> ”As stated in FIPS 203 {{FIPS203}}, SP 800-227 {{NIST-SP-800-227}}
> provides requirements for the use of ML-KEM in applications.”
>
>
> In general, I think it is very important that IETF follows NIST
> requirements when using a NIST algorithms like ML-KEM.
>
> Cheers,
> John
>
>
> https://github.com/tlswg/tls-ecdhe-mlkem/pull/53
>
> https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
>
>
>
> _______________________________________________
>
> TLS mailing list -- [email protected]
>
> To unsubscribe send an email to [email protected]
>
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to