On Wed, Jun 24, 2026 at 08:00:07AM -0700, Joseph Salowey via Datatracker wrote: > This message initiates a new Working Group Last Call for > draft-ietf-tls-mlkem[1], which defines standalone ML-KEM key > establishment for TLS 1.3.
I support publishing this. I do not think hybrids are a major improvment. However, because hybrid key exchange in TLS 1.3 is extraordinarily cheap, I think ECDH+PQ hybrids should be used unless following security profile standard specifying otherwise, CRQCs having rendered traditional cryptography moot, or system constraints somehow make hybrids impractical. And given how close my position is, it takes very little to tilt the scale the other way. Furthermore, CRQC appearing would instantly tilt the scale the other way. So I think wanting to use stand-alone ML-KEM is completely understandable. (My position on hybrid signatures is very different due to much bigger costs, and is not even close to the tipping point.) ML-KEM security, mathematical level: ------------------------------------ Post-quantum cryptography is not a type of cryptography, it is attribute of cryptography. The candidates to NISTPQC were very diverse, and as different types of cryptography tend to have different attacks (with some common ones), one can not use failures of other types (e.g., SIKE) or the general failure rate (there was plenty of "snake oil") as evidence against Kyber/ML-KEM. For the submissions based on lattices, the issues seemed to be mostly bad parameter choices and some other details. Which is also to be expected, and does not reflect badly on Kyber/ML-KEM. The MLWE problem underlying Kyber/ML-KEM seems to be the best problem currently available. Decent message sizes combined with loads of analysis. LWE would be even better from analysis standpoint, but the message sizes are pretty painful. Cryptography based on lattices is not new. NTRU is from 1996, and LWE (which is commonly regarded as better than NTRU) is from 2005. In addition Kyber/ML-KEM also has extensive analysis as part of NISTPQC, probably exceeding any other candidate KEM. Lattices are also a generally useful topic, and as such have attracted a lot of mathematical research for a long time. And looking at known attacks, it is clear that anything besides breaking ML-KEM-512 with extreme effort (not going to be worth it) requires a fundamentally new attack. Comparing to ECC, ECC has also seem a lot of analysis since it was introduced in 1985, and is also based on generally useful topic that has attracted a lot of mathematical research over a long time. Breaking the cases that have not already been broken also requires either quantum computer or a fundamentally new attack. ML-KEM security, implementation level: -------------------------------------- Unlike mathematical level, which needs to stand the test of time, the implementations do not. A well-done implementation is good right off the gate. A badly-done implementation will remain bad even after plenty of time. Implementation quality is not gated by algorithm understanding or CS theory. As consequence, implementations do not really improve over time. More implementations get written, some of those are good. And the bad implementations tend to patch the worst stuff (but likely never become good). Fortunately, implementation quality of ML-KEM in TLS is not very important: ML-KEM is not prone to to implementation flaws so bad that all security is destroyed, hybrid or not. The remaining flaws tend to be either strongly mitigated by not reusing keys (required by RFC8446bis) or destroy interop. Hybrids are practically useless here. Comparing to ECC, ECC also has history of all kinds of bad implementations. And some forms of ECC (thankfully not supported in TLS 1.3) are not resistant to flaws that instantly destroy all security. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
