I do not support the publication of this document. Both the ECDHE and ML-KEM components of hybrid key agreement have important roles to play in guaranteeing its security: ML-KEM obviously guards against harvest-now-decrypt-later quantum attacks, and ECDHE guards against the ongoing cryptanalysis of ML-KEM as well as side channels and other bugs in ML-KEM implementations, which are far less mature than elliptic curve implementations. A scheme without both presents a meaningfully increased risk to users compared to the hybrid key agreement schemes already being successfully rolled out.

If individual organizations want to use solo ML-KEM internally for whatever reason, there is nothing stopping them from doing so, with or without the tacit endorsement of an IETF publication. But as far as globally interoperable, RFC-compliant TLS deployments go, providing options that deviate from best practices exposes unsuspecting users to unnecessary risks. It's for this very reason that TLS 1.3 mandates ephemeral key exchange, despite the added computational effort for servers to generate unique keypairs. Nobody is proposing to allow server operators to disable forward secrecy, even though we're all trying our hardest to prevent key compromises anyway, because ephemeral keys mitigate the risks posed by static keys. In a similar vein, hybrid key agreement should remain as the single published PQ migration target for the foreseeable future because hybrid key agreement mitigates the risks posed by solo ML-KEM key agreement.


_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to