Dear all,

I do not support the publication of draft-ietf-tls-mlkem-08.

The proposal removes the classical hedge from TLS 1.3 key establishment.
Keeping X25519 alongside ML-KEM costs only 32 bytes per key and 32
bytes per ciphertext, against ML-KEM-768's roughly 1.1 KB keys and
ciphertexts. A hybrid remains secure if either component holds; solo
ML-KEM is secure only if ML-KEM holds, forever, against classical and
quantum cryptanalysis and against implementation flaws. Given the
harvest-now-decrypt-later threat model that motivates PQC deployment,
that bet is too large for a single new primitive.

Best regards,
Muhammed Ali Kösen
Software Developer
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to