2026-07-06 09:50 GMT+02:00 Stephan Neuhaus <[email protected]>:
> Perhaps to illustrate my point, WolfSSL has received a CVE for a bug in 
> ML-KEM on https://nvd.nist.gov/vuln/detail/CVE-2026-10097.

That CVE has already been discussed in this thread, and has no impact on 
ephemeral key exchange in TLS. It is actually pretty hard to implement ant 
ephemeral key exchange so wrong that it matters.

(We also had long discussions on whether non-ephemeral key reuse should be 
allowed, and the group seems to mostly agree it should not. I suggest reading 
the archives for details if you are new.)

> I do remember seeing this with a CWE of CWE-327: Use of a Broken or 
> Risky Cryptographic Algorithm, but that has since changed in the NVD to 
> read CWE-697: Incorrect Comparison. (See the CVE change history in the NVD.)
> 
> Cheers
> 
> Stephan
> 
> On 7/1/26 12:32 PM, Stephan Neuhaus wrote:
> > I do not support the publication of this document.
> > 
> > I remember well that security standards get broken: when they have been 
> > well-reviewed, but especially when they're new. Bugs show up in the 
> > math, but also in implementations. Lattice cryptography seems to me to 
> > be a very active field of research, when quite fundamental results (and 
> > bugs!) are still being discovered, both in the math and in the 
> > implementations. From a risk-management perspective alone, I believe 
> > that it's too risky to standardise, even as "informational", a mode of 
> > encryption that relies only on these new methods.
> > 
> > Cheers
> > 
> > Stephan
> > 
> > PS: Full disclosure: I have just joined the TLS mailing list, mainly to 
> > say just this. I also have no standing in the cryptographic community, 
> > except that I have published a paper last year together with Peter 
> > Gutmann of this parish, about how all of the published quantum 
> > factorisation records are bogus [1]. What kind of standing this gives 
> > me, if any, is anybody's guess.
> > 
> > [1] https://eprint.iacr.org/2025/1237
> > 
> > _______________________________________________
> > TLS mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> 
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> 
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to