On Fri, May 29, 2026 at 10:53:57PM +0200, Muhammad Usama Sardar wrote: > Thanks all for the comments. Some thoughts inline: > > - This concerns KEMs in general and is independent of > > draft-ietf-tls-mlkem, ML-KEM, and PQ. [...] > > > > I don’t think a formal FATT process should be started. I want > > X25519MLKEM758 published as soon as possible. > > > > > > Can you explain why the synmmetric argument in your draft does not hold > > for hybrid key exchange? > > > FWIW, I tried to address the concern on hybrid/X25519MLKEM758 already in > Sec. 4.1 [0]. > > I would like to clarify that I am not at all proposing to > block X25519MLKEM758. Please let me know exactly where there is this > ambiguity in Sec. 4.1. Happy to rephrase it or clarify it.
That does not address the concerns. The same issue _does_ appply to X25519MLKEM768 — as I and some others have already explained. The arguments about "some level of symmetry" are unsound. Moreover, I do not think it is possible to prove soundness of X25519MLKEM768 without proving soundness of stand-alone ML-KEM — as soundness of X25519MLKEM768 includes it having hybrid property, meaning it is still secure if ML-KEM is secure, no matter how throughly X25519 is destroyed. Conversely, if stand-alone ML-KEM is not sound, then X25519MLKEM768 is not sound either. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
