IETF Logo Mail Archive

[CFRG] Re: PQ KEM Security Considerations

Nick Sullivan <nicholas.sullivan@gmail.com> Wed, 20 May 2026 15:52 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0E53EF1ADFFA for <cfrg@mail2.ietf.org>; Wed, 20 May 2026 08:52:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779292339; bh=foufRRX4HMWeBpK/fPgA/grJ/Sdc0WfxgzOXHfhqfpU=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=ESRSST9Dp/nK576jEDVWzxFtd2SQ0RiM/S0PIjm7BGjODWA5NEZxrpTndneg/i1k2 gm31daRIB6/L6HfhZWbROW10R7vyPa7SD5rjljFW1Wb/xEZM25Fgx8OZp3znm5B7J7 GbOJpyoVglj4pINTH6vaAx4P1CDj7zMdZ0Ujxjm8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0XbMa1vQGCo5 for <cfrg@mail2.ietf.org>; Wed, 20 May 2026 08:52:15 -0700 (PDT)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8A183F1ADE93 for <cfrg@irtf.org>; Wed, 20 May 2026 08:50:25 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-82748257f5fso3861318b3a.1 for <cfrg@irtf.org>; Wed, 20 May 2026 08:50:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779292224; cv=none; d=google.com; s=arc-20240605; b=T0tZdNPyA7Q44mSCdq5m21s6vL5mc/DPkDtyUf5A+Y0j2uoEX/ue6Cw2+TLj5HupkX mkE545xetWFfjjChzrQn9l0FAg7emAxmKM96E8dOXKPeZa45br1PH68lOP3PFQzIgRve 56rzFfkS/EWFJ1erwFAqP5EtUW4Xc3Xlw5DWm4AOaqIxRXrHofvQTBbbN+nU2JBDrXmQ xoVw0U2Uu66buuE5XaxaCD9Bk71AWc1XBJm3ARuOvAMYMqSib2XdwgrHQYaCXvQ2UWXQ mFTVPOeh725qRIPv1df3mDhjvSnPhFjL6iTzRwaHExbUSS4qkQ9I6Q4dlf46OK9bDmzW qgYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=foufRRX4HMWeBpK/fPgA/grJ/Sdc0WfxgzOXHfhqfpU=; fh=57v5bQznwvd0VZEWkBr1xlPdp9jcIIkQDz3Hoo1EzAE=; b=Q88mur7bf65uEshqPKYBihHV/4a4uHk6s3S0DmtLGvi0WEXVJffNMRkfxuLsOPXrOg tGnkZO13tUG7I936OTt7gpedSJccWip5RT62DHdKbFcrZb5ALsae5K4HIoofSnA2rbIM SUXbe8DrDYV61DVzGb2sXY5hlTdKVERehVLywqou2wxkdTOTZSqZ134LRmThxSz5kh1W L+NqcOeQwLeasTPdhjTfwWtTIaNDvp/PFs95YyiQuvMmGmJYAE2S9+BMNQ4q7R3L0apr 42a3DY/DqAuTQlw9J0hzMC32ns5fd1zt0s0ZRXOITfvtJh1iz7fHUdvlLtyZY59DY6Pw HWkQ==; darn=irtf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779292224; x=1779897024; darn=irtf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=foufRRX4HMWeBpK/fPgA/grJ/Sdc0WfxgzOXHfhqfpU=; b=qWu4UMWaFBvQkhpLtU+qeMw1CPh9c+vfgspLu10/Y8NUryCyBb0g8mnQ9K05IPOKSP cWloSdMzIZgSaJR5AnRRswihNWcra3QkPQEO9U6o9XGsgtIPh4nH7biBRWb04gZnhVPE b6k0J0EDmsXT5vsT5yd5aWpsBvvBk9RMpTpW5w+wd1ctaZbFZ5VAuc0eg3txnxYP+Gz1 c6vHvzNN2sQJ53uk40Hq78Tf9qTwzbTCWFd0hWiFyAdBt6q85xTqB/ocstEPykMfgKyv 5LYkAT0FBGVYy8Z9s7bsdY3arxE+98o4h4D6wZnKu9e1CPoJLpMyKrwqjE7XLzw3uI8V O0Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779292224; x=1779897024; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=foufRRX4HMWeBpK/fPgA/grJ/Sdc0WfxgzOXHfhqfpU=; b=e/Y48xU+wNGCjd+AJGexxhqJMSUV88KZynL8FyzcPaGIKoKKP9H5UOP7RUu9fRuBH6 xKk9letb+pJ+dduNdvZFzHMg9MY5h7EVoHZ3m+kiRzQ3siCAQ+yRkuGANuZICzPKNPGX 2GKt9GjSLlMv0F0IzyZaGnOeTMg3fj8O8OEbRNEpycYP8ZJy5nw+KSXhyL6ZkULq8Y8u VdempRhGHtfcvi2VVkxq95iS+EvBzMmRHxum0TizumFNxXsCjf2N2di23kyCNtT65wRp Kprwc6gzMjcNo8LpPL3OKOb1tNKLzccOz6Is1Ndr4RIVXyt/IX5GlZITDJI7GaOOtxEd BrrQ==
X-Gm-Message-State: AOJu0YxnPNSmfC1QvmsMMXY0akg3KH8pSrbASu6l2l5jdUc9msqpituX O5DTfXqzkVm+/BzuBoOfSwuYOd7XU3sCAdFT5YLNP4p0K2xbzey2cqLts0Kw3T0r0Mu03mIJggw UljsaCMNN6npUZXcnctIe+pZ4Z7+xv1kvX0LRYmhjuw==
X-Gm-Gg: Acq92OGQ/Hjvp1FTuxCiiReppVgrpD0ubbCsKVH8yqwJxxCu3IvagVkkWCIVUcNzDJv MBmUdHSazAxps9eLnKLdkW9c/P3twqTLYXhoujSSebNjFGmcGN3OufZdEsPtb36CiywtQUAqFa2 ZKpinTixex6vZCBZ4FAq3AJN4TYtAqVYH6Jj41xU5LiDn4x0cjtLi3R/slB2OFZDn1k+fMbcmyu qwO81gY2PJhB2N23hqG8Zv7oowBPuopD6nKfeFeya3pxE8paKKr+KXDw126635wKK7LddvQRUX9 +0qatJpwGXwtrcXIoHqc65bKhQhHFKjSqPMofH+2udAMKu/H0tiuJqrJxrb/tSGp4/X6pfYLqCD W+wCekEdKR9PJQxsxHShYDFsgp0uLN+mpDeVxPWn06nNZolujkaq61xjOI2/F1bglTzUZvmhnMG k=
X-Received: by 2002:a05:6a00:170a:b0:82f:2aaa:c14c with SMTP id d2e1a72fcca58-84148753224mr28074b3a.16.1779292223668; Wed, 20 May 2026 08:50:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAOjisRwyLy5Z2htFtq4hFUPrQWUzaxwKjWwTdHfPyximHeoaGQ@mail.gmail.com>
In-Reply-To: <CAOjisRwyLy5Z2htFtq4hFUPrQWUzaxwKjWwTdHfPyximHeoaGQ@mail.gmail.com>
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Wed, 20 May 2026 11:50:11 -0400
X-Gm-Features: AVHnY4Ineo3EElKgayZ72C-F06xO-qnHrbwnpTJUOQsJxmA_E_D6pQ1tsP6e1DY
Message-ID: <CAOjisRyVq+0EVNx1smAmE5XVmq_wXyhh3aDoWzxSTRPbsSc09g@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 73T64VNR4P7SMQR4KV7LRQP6U2EWLA5R
X-Message-ID-Hash: 73T64VNR4P7SMQR4KV7LRQP6U2EWLA5R
X-MailFrom: nicholas.sullivan@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: PQ KEM Security Considerations
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6K43Ycr062Ym1G0q4WHxZQ2HW8M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi CFRG,

Thanks to everyone who replied to the April 13 note, and thanks in
particular to the people who are preparing per-KEM
security-considerations documents.

We are extending the requested submission date from May 22, 2026 to
Monday, June 22, 2026.

This remains a call for per-KEM security-considerations /
security-evaluation documents intended to help protocol designers and
implementers understand how a KEM can be used safely in IETF
protocols. It is not an algorithm-approval exercise, and it is not a
ranking of KEMs.

The eligibility point from the earlier note also remains the same:
this call is aimed at KEMs that have had substantial public
cryptanalysis in an open process. A document can still be useful as a
discussion document even if the underlying KEM is not yet at that
level of maturity, but at this point we're interested in KEMs that
have short-term deployment targets, especially those in IETF
protocols.

To make list review more uniform, please structure per-KEM documents
so that they explicitly answer the following points.

First, is this safe to use?

What is the authoritative specification, and which parameter sets are in scope?
What security strength is being targeted, and what security notion
does the calling protocol rely on?
What assumptions, underlying hard problems, attacker model,
implementation conditions, and practical conditions are needed for the
claim to hold?
What is the basis for confidence, i.e., what public review and
cryptanalysis record are we relying on? Pointing to external standards
and their public review is completely reasonable here, the goal is not
to reinvent proofs in CFRG.
What protocol-relevant caveats, hybrid-composition concerns, and
watchpoints should protocol designers know about?

Second, how do we safely use it?

What are the exact sizes, encodings, and canonicalization rules for
keys, ciphertexts, and shared secrets?
What validation is required, and which checks must not be skipped?
What randomness is required, and what breaks if it is weak, stale, or reused?
What should implementers do on failures and invalid inputs, and what
side-channel, oracle, and fault-injection considerations matter?
What are the key-lifecycle, reuse, storage, zeroization, and PFS implications?
What interop artifacts should exist, including test vectors and
malformed-input tests?
If the underlying standard offers variants or options, what is the
default recommendation, and when should a protocol designer choose
something else?


A -00 or outline is fine if it clearly establishes scope, structure,
and initial answers, and if the authors are prepared to revise it
toward this checklist based on review.

If you are working on a document, please reply to the chairs naming
the KEM by June 8.

Best,
Nick (for the CFRG chairs)

On Mon, Apr 13, 2026 at 10:10 AM Nick Sullivan
<nicholas.sullivan@gmail.com> wrote:
>
> Hi CFRG,
>
> At IETF 125 I gave a short talk on "KEM Security Considerations" and a
> path forward for PQ KEMs.
>
> The problem we are trying to solve is simple: the IETF needs guidance
> on which PQ KEMs are reasonable to use in standards-track protocols.
> Candidates that come up repeatedly include ML-KEM, NTRU, Classic
> McEliece, FrodoKEM, NTRU Prime, and HQC.
>
> There is also clear process history here: at IETF 123 the poll result
> was that we should first produce a KEM security requirements document.
> We still do not have that requirements document, and today we
> effectively only have one per-KEM security considerations writeup (for
> ML-KEM).
>
> Current gap and proposed approach (from the IETF 125 slides)
> - Current gap: no requirements document exists; one individual draft
> covers ML-KEM only.
> - Path forward: adopt per-KEM security evaluation /
> security-considerations documents.
> - Eligibility: KEM has had extensive public cryptanalysis via an open process.
> - Target: on the order of weeks, not years.
>
> Links:
> - IETF 125 minutes (CFRG session 1):
> http://datatracker.ietf.org/doc/minutes-125-cfrg-202603190100/
> - Slides: http://datatracker.ietf.org/meeting/125/materials/slides-125-cfrg-pq-kems-02
> - ML-KEM security considerations draft:
> http://datatracker.ietf.org/doc/draft-sfluhrer-cfrg-ml-kem-security-considerations/
>
> Scope and what the output means
>
> This is not about CFRG "approving" algorithms. The intended output is
> a set of documents that protocol working groups can read to understand
> security properties and security considerations for protocol use. This
> is guidance for protocol designers and implementers, not a ranking
> exercise, and not a re-run of the underlying competition or
> standardization processes.
>
> Request to the list
>
> Before we talk about adoption of any single KEM-specific document, I
> want to ask a simpler question:
>
> Are there plans, or willingness, to write similar
> security-considerations documents for other PQ KEMs being discussed
> here?
>
> If you are willing to contribute (author or co-author), please reply with:
> - which KEM(s) you have in mind
> - whether you can produce a draft or outline within a six week
> timeframe from today (before May 22)
> - whether you think we need a small design team to converge on common
> criteria, or whether mailing list discussion is sufficient
>
> Proposed questions (criteria) for per-KEM documents (open for debate)
>
> To make the request concrete, here is my starting point for the kinds
> of questions each document should answer. These are intentionally up
> for debate. If you think this is too much, too little, or missing key
> items, please say so.
>
> I am also separating "is this safe to use" from "how to safely use it":
>
> A) Is this safe to use? (claims, assumptions, evidence)
> - Spec and scope: what is the authoritative specification (or specs)
> for the KEM, and which parameter sets are in scope for this document.
> - Security strength and notion: what security strength is being
> targeted (e.g., NIST category / bits of security), what security
> notion a protocol would rely on (e.g., IND-CCA-style KEM security for
> HPKE-like use), and what the KEM claims under that notion.
> - Assumptions and conditions: what attacker model and assumptions the
> claim relies on (classical vs PQ, any non-standard assumptions), and
> what conditions are required for the claim to hold in practice
> (required checks, failure handling, implementation assumptions,
> underlying hard problem).
> - Basis for confidence: what open, public process and cryptanalysis
> record we are relying on. Pointing to an external standard and its
> public review is valid here; the goal is not to reinvent proofs in
> CFRG.
> - Protocol-relevant caveats: known limitations or results that could
> affect protocol designs (binding/misbinding properties,
> robustness/contributory behavior, misuse sensitivity, and hybrid
> composition considerations if applicable), plus a short list of
> watchpoints (what would change the assessment).
>
> B) How to safely use it? (protocol designer and implementer guidance)
> - Inputs/outputs and encoding: exact sizes and encodings for public
> key, ciphertext, and shared secret, plus any required formatting or
> canonicalization rules.
> - Validation: what input validation is required (public key checks,
> ciphertext checks), and what must not be skipped.
> - Randomness: what randomness is required for KeyGen and Encaps
> (strength and freshness), and what breaks if those requirements are
> not met.
> - Failures and leakage: correct behavior on decapsulation failure and
> invalid ciphertexts, constant-time expectations, and what error
> signaling is safe (avoid oracles). State whether fault injection is in
> scope or explicitly out of scope.
> - Key lifecycle: reuse guidance (static vs ephemeral), PFS
> implications, storage and zeroization expectations.
> - Interop artifacts: minimum test vectors and negative tests
> (malformed inputs), where implementers should pull them from (spec
> appendices, reference code, published vector sets), and any evidence
> of multi-implementation interop if it exists.
> - Decision points in the underlying standard: if the authoritative
> spec offers options (variants, modes, knobs), point to the relevant
> sections and give protocol designers a clear default and a short
> decision guide for when a different option is appropriate. The ML-DSA
> security considerations individual draft is a good example of the
> level of guidance here
> (http://datatracker.ietf.org/doc/draft-connolly-cfrg-ml-dsa-security-considerations/)
>
>
> About adoption and completeness
>
> If we adopt this topic and/or adopt individual documents, the adoption
> call should not be read as "this document is complete." A -00 that
> establishes scope, structure, and initial answers is fine, as long as
> the authors agree that if the document is adopted they will work it
> towards conformance with the (eventual) common criteria and
> incorporate review feedback.
>
> Thanks. Please reply if you are willing to write (or co-write) a
> document for a specific KEM, and please also reply with suggested
> edits to the criteria above.
>
> Nick (for the CFRG chairs)

v2.46.0 | Report a Bug | By Email | System Status