On Mon, Jun 01, 2026 at 06:56:57PM +0200, David Stainton wrote: > I support initiating the FATT process here, and I support the work Usama is > doing to use symbolic models to better understand the protocol's security > properties. Even where existing proofs give us confidence, having an > explicit symbolic analysis of the standalone-KEM case is the kind of thing > that's worth doing rather than assuming, and there are clearly participants > willing to do it.
I do not think there is any justification for doing FATT process for stand-alone ML-KEM, but not for X25519MLKEM768. Any flaw in integration of the former is highly likely to directly translate into a flaw in the latter — due to the hybrid property. However, I think it is extremely unlikely that any such flaws exist. Therefore I do not think either requires FATT process. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
