I feel I need to ask this (both to you and to others who have suggested that ML-KEM cannot be trusted): do you support the publication of draft-ietf-tls-ecdhe-mlkem?
That draft would appear to be TLS working group's answer to postquantum privacy, and I expect that it would be extensively used in that role. However, if you don't trust that ML-KEM is secure, then you can't trust that draft-ietf-tls-ecdhe-mlkem is postquantum secure. That sounds like you would be recommending people to use something that you don't believe meets the security goal, and would be, in fact, insecure after Q-day. Now, if you make the weaker statement that "ML-KEM is likely to be secure, but doing ECDH alongside it is cheap and gives me the warm fuzzies", that's a reasonable statement - however, just because ML-KEM only doesn't give you the same warm fuzzies seems like a weak justification for attempting to block it. ________________________________ From: Fe Lix <[email protected]> Sent: Thursday, July 2, 2026 12:48 PM To: [email protected] <[email protected]> Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08) Hi yall. I'm Félix Fischer Marqués. I'm from Chile. I don't support the publication of this document. As to why, that's coming up next. I'll try to be brief. In cryptography today, we rely on strong assumptions. We try to make the least amount of those we can, but as of right now, we're kind of screwed: we must make assumptions. Nonetheless, we try to keep the number and strength of them as low as we can. This draft assumes that ML-KEM is computationally strong. Meaning, it assumes that any adversary would indeed need an exponentially-growing amount of resources to break it (exponential in terms of the cost to the users). That's an extremely silly assumption to make. There is so much we just don't know about computational complexity that, in the best scenario, I would describe this as hubris. We don't even know if one-way functions exist, much less public-key cryptography. Let's remain humble and accept the reality that ML-KEM might not be computationally strong at all. We have to remember that standards like these are adopted in tens of millions of devices. Hubris here kills people over there. Have a good week. -- Félix
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
