I do not support publication of this document. The hybrid approach (draft-ietf-tls-ecdhe-mlkem) provides defense-in-depth: if ML-KEM is broken by classical cryptanalysis, ECDH still protects the session. This draft removes that fallback for no meaningful benefit—the overhead difference is approximately 100 bytes per handshake.
ML-KEM has two years of deployment experience. ECDH has forty years of cryptanalysis. SIKE was broken shortly after NIST selection, demonstrating that post-quantum algorithms can fail unexpectedly. Removing the classical fallback is a security regression, not an improvement. The hybrid draft is already approved and in the RFC Editor queue. Chrome, Firefox, and Edge ship X25519MLKEM768 as their default. There is no demonstrated need for a pure ML-KEM option that abandons defense-in-depth. Mark Atwood _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
