I do not support publication of this document.

The hybrid approach (draft-ietf-tls-ecdhe-mlkem) provides defense-in-depth: if 
ML-KEM is broken by classical cryptanalysis, ECDH still protects the session. 
This draft removes that fallback for no meaningful benefit—the overhead 
difference is approximately 100 bytes per handshake.

ML-KEM has two years of deployment experience. ECDH has forty years of 
cryptanalysis. SIKE was broken shortly after NIST selection, demonstrating that 
post-quantum algorithms can fail unexpectedly. Removing the classical fallback 
is a security regression, not an improvement.

The hybrid draft is already approved and in the RFC Editor queue. Chrome, 
Firefox, and Edge ship X25519MLKEM768 as their default. There is no 
demonstrated need for a pure ML-KEM option that abandons defense-in-depth.

Mark Atwood

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to