> Yes, Meta has a good article on the topic > https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/
This is a good article— I want to highlight that Meta deployed Kyber/ML-KEM-512 only on their internal connections, and don't seem to have any plans to roll that out to their external connections. While -512 nicely fits existing infra, and I agree it should be available especially for IoT settings and internal deployments like Meta's, in general public internet settings it seems to be a a little riskier as a right-on-the-line parameter set for NIST Level 1 security than say -768, which has more headroom security-wise. On Fri, Nov 28, 2025, 2:17 AM John Mattsson <john.mattsson= [email protected]> wrote: > Hi Stephen, > > >Do you know if anyone's written up a description of that? > > Yes, Meta has a good article on the topic > > > https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/ > <https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/?utm_source=chatgpt.com> > > There has also been quite a lot written about middleboxes, > load-balancers, and other software that assume the ClientHello always fits > in a single packet. See e.g., > > https://blog.cloudflare.com/pq-2025/ > https://www.ietf.org/archive/id/draft-reddy-uta-pqc-app-07.html > > Just looking at the key share sizes, it is quite easy to see that you can > use ML-KEM-512 (800 bytes) and would have been able to fit X25519MLKEM512 (832 > bytes) and still fit ClientHello in a single packet. It is also quite > easy to see that it for many PMTUs it is problematic to fit ML-KEM-768 > (1184 bytes) and X25519MLKEM768 (1216 bytes) in a single packet. > > > https://datatracker.ietf.org/doc/draft-ietf-iotops-security-protocol-comparison/ > https://tls13.xargs.org/#client-hello > https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf > > While it did argue for X25519MLKEM512 (and X448MLKEM1024) I did not > understand at the time that I would have wanted X25519MLKEM512 for > middlebox traversal. Then I would have argued harder for X25519MLKEM512. > > The current situation is that OpenSSL 3.5 LTS has shipped with > X25519MLKEM768, ML-KEM-512, ML-KEM-768, and ML-KEM-1024 and even if TLS WG > standardise X25519MLKEM512 now, it will take several more years until it > would be added to a OpenSSL LTS, which a lot of infrastructure is based on. > That would make it hard to meet 2030 deadlines for PQC migration but would > meet 2035 deadlines. I can live with ML-KEM-512 for middle box traversal, > but if TLS WG does not publish ML-KEM-512, I would suggest that > X25519MLKEM512 is added to draft-ietf-tls-ecdhe-mlkem. > > (Regarding misbehaving servers, if they don’t handle fragmented > ClientHello they likely don’t support ML-KEM anyway and you need to retry > with standalone X25519. Middleboxes and load-balancers is the big problem) > > Cheers, > John > > On 2025-11-27, 20:43, "Stephen Farrell" <[email protected]> wrote: > > > Hi John, > > On 27/11/2025 16:02, John Mattsson wrote: > > - ML-KEM-512 is the only adopted quantum-resistant algorithm that > > can be used to bypass legacy middle boxes. > > Do you know if anyone's written up a description of that? > > Thanks, > S. > > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
