On Thu, Jul 09, 2026 at 03:01:42AM +0300, David Gessel wrote:

> On "the same issue" (Paul) and "by the same logic" (Scott): the ML-KEM
> component is identical in both documents; the consequence of its failure is
> not.

Actually, the consequence is precisely identical.  The covert channel
is unaffected by the presence or absence of a classical ECC KEM component.

> If some flaw is found in ML-KEM,
> hybrid's retains today's TLS strength against whatever advantage quantum
> gives attackers, but there is a non-zero possibility of an algorithmic or
> implementation failure that compromises the inarguably less proven ML-KEM.

The "flaw" in question is not in ML-KEM, it is in the RNG, and the
question is whether the encapsulating side's ML-KEM implementation
should specifically distrust its own RNG (but trust that its hash
function does not, e.g., merely encrypt `m` with the attacker's
key, rather than compute the expected one-way hash).

If the RNG is in fact designed to covertly leak its state, facilitating
prediction of future outputs that might be of interest to the attacker,
then both pure and hybrid ML-KEM are equally affected.

> My objection is, and was, about the worst-case not expected, so the argument
> applies to both documents and is discharged by construction in one of them.

And yet, the covert channel issue applies equally to both.

-- 
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to