Dear all, I do not support the publication of draft-ietf-tls-mlkem-08.
The proposal removes the classical hedge from TLS 1.3 key establishment. Keeping X25519 alongside ML-KEM costs only 32 bytes per key and 32 bytes per ciphertext, against ML-KEM-768's roughly 1.1 KB keys and ciphertexts. A hybrid remains secure if either component holds; solo ML-KEM is secure only if ML-KEM holds, forever, against classical and quantum cryptanalysis and against implementation flaws. Given the harvest-now-decrypt-later threat model that motivates PQC deployment, that bet is too large for a single new primitive. Best regards, Muhammed Ali Kösen Software Developer _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
