[CFRG] Re: Latest version of draft-sfluhrer-cfrg-ml-kem-security-considerations
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 21 November 2025 00:48 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B7C998DA52AA for <cfrg@mail2.ietf.org>; Thu, 20 Nov 2025 16:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -11.886
X-Spam-Level:
X-Spam-Status: No, score=-11.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001, T_SPF_HELO_PERMERROR=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cisco.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRWttYsQZZ1f for <cfrg@mail2.ietf.org>; Thu, 20 Nov 2025 16:48:43 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F3C148DA52A3 for <cfrg@irtf.org>; Thu, 20 Nov 2025 16:48:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=25232; q=dns/txt; s=iport01; t=1763686123; x=1764895723; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=4DGV+7c0GSoHeICxBPjSUAurGVWnWezwiWaRrc359OY=; b=HEyCQ9BuP9WJdh8fvfdd4XMy6oSL1mrr8P16Ju1DwIhntM04T5yZjROl PUYpwHKK5po/Io4wD0U0h0pAMHVzNBGJKCzoC/FbJSQ/hm4IIaW+kqX7u 4vQNJNoEzmA3CBnxfZjWwY7Z6mUVZdmumPA2g26SwPjYYRGsb5OczAMwV cm72bhCpp/LWCxsa/91vXO8FDcTqm2KLKtQmvawyQJJ9JQYQTReNcwL+N ur1Y6A+63Td6c8NhtGvzAU+tAXTZuWbOfqXB0IbcdL8ntJFXRzkFnp83/ xOJQalz+Uhi1A2xnOpbqU6a9wIeV7JyVylrzep/ftN2CDX7WzSrRdKlju g==;
X-CSE-ConnectionGUID: OB5YHGxCShOlg4MHPP0PpA==
X-CSE-MsgGUID: n6xrPk/0SmCssGEX3Nzphg==
X-IPAS-Result: A0BGGAByth9p/5EQJK1aHAECLAEHAQIGAQQEAUiBKwKBOzFSB3kCgSBJA4RRg0oCA4UsiHkDgROQN4V5PIE7hGAUgREHUw8BAQEPFAInFAQBAYUHAhY5FYt5AiY2Bw4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQEBAQIBEhErIAsFCwIBCBEEAQEoAwICAi4BFAkIAgQIBgUIFQQBgmGCHRYZJwMBAg6maQGBQAKKK3qBMoEBg2xB23MGgUoBhTqDFwEBKoE0Ag6CSYEegl6BFIEfJxuBSUSBFUKCMDg+gmECAgGBKAESASMGLoMlOoIvBIIJBBVSKAoKEgsPQgUGCUQtAz1vBGp7OwIBXkEBBgMWLgEEAwFyAT0kgSkWBAMRAiyEMIILayyGZVJySzMsAVUTFwsHBYEgQwOBCyNLBS0dgSQiHxgRYFRAg0kQDAZoDwaBEhlJAgICBQJAOoFoBhwGHBICAwECAjpVDIF3AgIEghh+ggoPiFeBCQUuKwMLbT03FBsFBIE1BZMwB1RRgUILAU9PJgRDECACfSYZAQZHBgEIkwIbH4Nhj32fWQqEHIwelW8XhASmAGeZBoJYizCWAIUOAgQCBAUCEAEBBoFvCyorDjBwcBU7gmdSGQ+OKgMWHINChRO+e3gCDC4CBwEKAQEDCZMHYAEB
IronPort-PHdr: A9a23:mDg2ZBxHNs4cbhjXCzPsngc9DxPP853uNQITr50/hK0LK+Ko/o/pO wrU4vA+xFPKXICO8/tfkKKWqKHvX2Uc/IyM+G4Pap1CVhIJyI0WkgUsDdTDCBjTJ//xZCt8F 8NHPGI=
IronPort-Data: A9a23:3xoyCa1sfTMZB7XVKvbD5ZRwkn2cJEfYwER7XKvMYLTBsI5bpzEFm 2AWXm7Tb/nYamT1etF+Pd+x8UxVvZbQxtZrTAo63Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX4 bsen+WFYAX4gmcuajpIg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGK2trDK036s1MAUZK+ qA9CAg1NiibrrfjqF67YrEEasULJc3vOsYb/3pn1zycVaZgSpHYSKKM7thdtNsyrpkRRrCFO YxAN3w2MEmojx5nYj/7DLolkuO1hmPyaRVTqUmeouw85G27IAlZjuOyYYOJK4bSLSlTtkDGt nj+/COhORQxL8ew5Are1GC0huCayEsXX6pXTtVU7MVCi1OJyUQSEgEYE1yhrpGEZlWWUtZbL QkQvyEpt6V3rBztRdjmVBr+q3mB1vIBZ+dt/yQBwFjl4oLf4h2SAS4PSTspVTDsnJVeqeACv rNRo+7UOA==
IronPort-HdrOrdr: A9a23:WRXvfKM9MNqStcBcT4H255DYdb4zR+YMi2TDiHoBKiC9I/b5qy nxppUmPEfP+UgssREb9expOMG7MBXhHO1OkPgs1NaZLUbbUQSTXftfBOfZslnd8mjFh5FgPM RbAuZD4b/LfCVHZK/BiWHSfadDsby6GeKT9JvjJhxWPHhXgtRbnnxE43GgYzVLrWd9dP0EPa vZzPBq4xCnfnMaZNm6AH4qY8jvzuegqLvWJTQ9K1oC8gehsROEgYSWL/Gf5HgjegIK5Y1n3X nOkgT/6Knmmeq80AXg22ja6IkTsMf9y/NYbfb8yvQ9G3HJsEKFdY5hU7qNsHQeu+e08msnl9 HKvlMJI9lz0XXMZWu4yCGdmDUIkQxeqUMK+2XoxUcLkvaJAw7SzPAxw76xRyGprnbIeusMiZ 6jkVjp76a/Rimw7BgVr+K4JC2C0HDE4EbLVYUo/iZiuUx0Us4LkWQSkXklYqsoDWb07psqH/ JpC9yZ7PFKcUmCZ3ScpWV3xsewN05DVCtub3Jy8vB96QIm10xR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY/vY1a9DS7kISaXOxDqBasHM3XCp9r+56g0/vijfNgNwIEpkJ rMXVtEvSo5el7oC8eJwJpXmyq9DVmVTHDo0IVT9pJ5srrzSP7iNjCCUkknl4+6r/AWEqTgKr +O0VJtconexEfVaPF0NlfFKuxvwFElIbkohuo=
X-Talos-CUID: 9a23:31smAG9cdRDTd+FiOJyVv2k+R/EFXW3293f3J0DkLEZRcOWtUXbFrQ==
X-Talos-MUID: 9a23:bm9JqQjihZNXh7TnDO2ri8MpMpl4+ZytTxg2lL4doOapBXdWKS+dg2Hi
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-l-core-08.cisco.com ([173.36.16.145]) by alln-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 21 Nov 2025 00:48:35 +0000
Received: from rcdn-opgw-1.cisco.com (rcdn-opgw-1.cisco.com [72.163.7.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by alln-l-core-08.cisco.com (Postfix) with ESMTPS id 8A58E1800074B for <cfrg@irtf.org>; Fri, 21 Nov 2025 00:48:35 +0000 (GMT)
X-CSE-ConnectionGUID: U8ycsi4PQjCGgrhY6CSd5w==
X-CSE-MsgGUID: 5hi1zZoDR3GWgoEMWVD5nQ==
Authentication-Results: rcdn-opgw-1.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.20,214,1758585600"; d="scan'208,217";a="38408894"
Received: from mail-co1pr07cu00106.outbound.protection.outlook.com (HELO CO1PR07CU001.outbound.protection.outlook.com) ([40.93.10.94]) by rcdn-opgw-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 21 Nov 2025 00:48:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IvDcVblbVVRJnIxxBnYeB7Ku9yxZCZo/I2dUu778EWmU/Y/5vm3Jr4vBd53D1iQMmKWXWlKTo87P1RMD4LHBGooBEzY4ATv+Nt7DrLcH2tQJgJcvKyKqz+2B3eAI0ESE/HOSJz1BST2lIdIAlDSKwzcdVmmmtd8joDWIzy6MLXrBcIcS0sqB3Rksc5BdS6Qs3KIyeeK72ZkoZ9WV/a3+9JcYeXL2oBDIB+CmuPoQvxGb1zko8+3IS9Ej5FtHRDyW5tAPlr4JXjxR7uiEvIF6IEUP4lJ8SJxgcMoxEmPFgYY+jc6k8e/NwskiqlgZqtr95jqnJ3WVgbj0gJ6WCSXLRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4DGV+7c0GSoHeICxBPjSUAurGVWnWezwiWaRrc359OY=; b=r+liouk6qg4stETN3aA1pqGG5iYMu/uqtkIdHwlYF3dUpBsO32opCJQ+kJn0ey0ccBBPBfQVP1RPzqh/g2mm9It1+4XtDyR2ogo4jJTYr6WrnzpGKfwRy/mIqJ7W1pIa93jHqsCy1cGmc03ZPqBcGDcgvtXpsgZsDrKyAfMrl/er8wtu/gi4pmeStIME1A8b+nh4Jk0tGWaHmkV/WSH3H7kR0MJlPx1K2NZ+xW71tMHOKcVBLqXRSNds5ZTYbjgKb89W1zP1ZuNCi+wSgBL+wtvfOujifOe0pJnSr5f1TgmO6x5nntWwS2KNP4fIHA8gDaXhd2rw4dOmG8Eh8FFnEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from DS4PPFA08475C7D.namprd11.prod.outlook.com (2603:10b6:f:fc02::3f) by CY8PR11MB7730.namprd11.prod.outlook.com (2603:10b6:930:74::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.10; Fri, 21 Nov 2025 00:48:32 +0000
Received: from DS4PPFA08475C7D.namprd11.prod.outlook.com ([fe80::7768:2fed:e554:f58c]) by DS4PPFA08475C7D.namprd11.prod.outlook.com ([fe80::7768:2fed:e554:f58c%6]) with mapi id 15.20.9343.011; Fri, 21 Nov 2025 00:48:32 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>
Thread-Topic: [CFRG] Re: Latest version of draft-sfluhrer-cfrg-ml-kem-security-considerations
Thread-Index: AQHcWh1V5ZnXVnOHpkKEw7eVNphURbT7t76ggAB90QCAABRvOg==
Date: Fri, 21 Nov 2025 00:48:32 +0000
Message-ID: <DS4PPFA08475C7DFED5E5771AEED2AA8E0CC1D5A@DS4PPFA08475C7D.namprd11.prod.outlook.com>
References: <PH3PPFA3FE8A23FC879652BD950CF48D0AAC1C9A@PH3PPFA3FE8A23F.namprd11.prod.outlook.com> <775681D8-7888-47C8-ADFA-ECB5F38A6AFD@thomwiggers.nl> <PH3PPFA3FE8A23F4EC964841468D379740BC1D6A@PH3PPFA3FE8A23F.namprd11.prod.outlook.com> <e310d98b-29e8-48d8-b0e8-364de292844c@kavula.fi> <PH3PPFA3FE8A23F52191C1989855EFACEB9C1D4A@PH3PPFA3FE8A23F.namprd11.prod.outlook.com> <CAEEbLAb=TEuZv-3Yy8zC2ryUYQBeEQfrdpJcWFMT4hZ5v-t0dw@mail.gmail.com>
In-Reply-To: <CAEEbLAb=TEuZv-3Yy8zC2ryUYQBeEQfrdpJcWFMT4hZ5v-t0dw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS4PPFA08475C7D:EE_|CY8PR11MB7730:EE_
x-ms-office365-filtering-correlation-id: 2de826e2-ed96-45d6-e082-08de2897b20c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|376014|366016|1800799024|7053199007|38070700021|13003099007|8096899003;
x-microsoft-antispam-message-info: tnAm7lrdOcRm1MnGKQ1y4AADAmfD2S/atBzwqRYGMsnE5eDJ+zgsCNHK36m5Mw59b6/ocoXhrOLHilYdAmtWUe83kRjt8ypTSMygbCmXSQTQJ04Mm4s7v9V3HMgzd9Bqseh6TpasNP1Ty3HVMhgH4DBL/ICNldXTrRxFCr2EI7TLLMyC6KPQ7C3zoMlzhBdBkoUT6lnIgopqkJ0V86Y0gn6YP2sXer9mdivDEFi57zrrF6t4cWFc7o7L2kgANmsA+We96R8OcuF5X2d64zTlq0fFn23GiAY20ccUSvUjSoBKfPbL4wosMEXriFhES6iZNsnfl/uJ5881aGy2sLbgM/+XyKruqNyCOsfA6PWY394uBHMoGo7IwSW+kMK9OQ4XO2zq+59eF4tQr9NCJZPvsJZu3Xjky2GRrNfEgxNfB3KTGWOaM6rzyCAEEkmfrxsZti7d6I//c2GzNA7EzMte00zEzQLZHOSaSL0rNuTR6AorICqZqXt5+bv9m5XazlsjHLiAF5V4y2IjuZnm5FxylfHX29ldwAm0yArJTj5l4trRG5Nr6myUqBiwrlnrjUkrhjOcMwFDV6+329PzYXLYq3sMa7ztp2ZTXxEMM8H16aFu8MzehzMfdbKDipWPy7l0zMiOGJlMUjc4t4wnuqaH8xHmZ8EKclrr9bZcegBjBJwxp+YXyfiS42AX3zWeemJgQubwUxhdrcdUsspwBd9Ehk/eB2DLIqwQM3urS39EDiG+CyraswqvMhTnJkEbEXQ5HTyQ0qIwANxnVZPjgmOYL8nBruBjURe0v9afhsD+LjwKJpjitVG9aFBAGgoP7GaHoix9QGhiKJB+Jv39yNGR/CxxnKFxgP8UEZQtfUtTB9saeUAsv4oe9ZHgH8b/E2MKgUJbP+B/fLsZtXK9Cz+NaXqJ5GxlirWc/HSFWADdjhUpMwaZJElMZTgCT7LPlEtiEbnHLHY0LXwXy0x7dgM3QertPylTL0/tIVOQ1AEZp9fECQ3TcjdUfrtvO94XdOe8lgKPKK/aZvmySnLMbBeinZGKxSa1W4vWluVmbghgXq/ts2+pg3eEyF6FbSb8iVH8XCOYWotheDLuzp36CTu8AhPfGFxGfVrmQJyqqFKc5yWWEh39IZax9G0c4DQYTG4wkH9YTbj8eMa3kENO4lEgvUKY5M7uYb5tw5ldWh7AYMOVdvZuLzOITvfXNODxrnJcFJ3kiunB8Hsd0n9arVVrdOuwpiB39UE55Skl0ILz+OfPJnA31H8uh+Q9JUTgJuph2lz4RZ8tCeXXGGr1WYNEcC0f7FSyMHoP9rnlXSuB+PFgc6OcBo2RnNDqGOb/SYH/jFNYsalG1ib//fK1vbRECEJQtmkdEiOuxlhf11wv7iUUmNIr7qpYOjB6/Jv4W3M/JtHH2ydlHUk5zB0mK4sGEclx0KviIasZnR+iBjjon2GLQ+TkrbsIMAgfMoK0KshCUPXnaH33v3KryBkkY/EoHb9pMUlmKxtCbq9KhyyCXOqfH7FULWlLb14xVhMZl1byTP05NKq+4Pn39kOrcEikzQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS4PPFA08475C7D.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(376014)(366016)(1800799024)(7053199007)(38070700021)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BlmrJV6DCTnfh4r1LUu9ElbLomCfYx4OA0Krmx6QEsdQ/RvsQBFHXQNbAeV2kSFL4/v85nNRLIQmyd7csshZ6ho8UPKR0BctRu8M1PzifI0tuQqN6k/ofkzp5tbY0EO9BtYqCM9CLIuPtYdGLql/7XfwC+cGQlADL9RY3D66SkyPgUjqFrSAYHR3Y6AXOPmpAOoG4YAFFlb95jmqiUvUnrOriN6uYCH39UxhGWeoB094YlzBx2HSE9ah8L5Poxa7Ng4gAJ+hyGxYk3DO21uqcoDojIqb7SQr8d/rD8+zxJ1RRpB1PTzd7iybYRRDd7U6tO6gXsQjbD4lZEJ+dIT9Np2oJoKvxt3yGL7AhBI+A5k9f6R0+KNrMBG7YHg5R8cMXndHFbEsY+BsQvO/x478avxpCh6TfWe5sdZz6SYKA2ewtqcXS0vPehd68W2kyASnN0Hj39w/34ixK1+vFzWERnKHTd0OvLMMzaW19zYgGIyzi7gr0EqskM8kAorVi5UT5bggwV+1Pf6Z3IeptDAfO74tFaRnAvw3dHef/IPo9KkuhDNW/HOBX2QiUlk3UFSow97Ip/ZEOFk21rn3eGGxaC7pZlyfxh5zvNSKMGgLSlKi+ziHCdySOFF4nuYb1YE2tatyBL1paeHNrQxK5I01FFoHF0gFWfwuHULwDp7+u8N/f/ngqHvVYq02zKswD0egiDoh/sW8EiZPNo7TeWj/oZxEjgp0pVkgfRvoq+ZbbuLaZXDiqkbGdgHKiX9FWfuek0VCX8xMCZjNx5K4RqXi3uzWTT7G2X/5WY2VG3Yl8WDi//YH/3XwSmZLOT0SYUaBKG375dFcyIkCAkHkgtLIrsEgjgzjlZuJW+s1Jb90/seQdlEPEo6ODJFvRB6aZkn4eke+wIbSSHCZkVIytto5WpNHsHWClw/cYDwJA4KCuSb5XhujTpYBc+mBMUDPluSnUFOsHrOSp8RCCr9Audqx+JY5XHAZF81Pxx3cNoi84IV72B+JgF+OWq0Cfy8y9isUvQGsNMYtVwuQgQw9dAmPN9+6YjHVNA0D75s067Ip3TQAluaG9g+X26dWf42dpbTz0/dwk7wA/THfcCw08r/2qxpVd3/BaSxmFKtU77ZELzotYBAoXf328cLynv0plLobHk5oBEbPCcowBU9Ag5+5/MFKoA1Pfi6uL1lXlD/wnArlAuYkyoqxxwxEW6j/nbK+YqKbJtDYkHg2veX4bXRBmZcXRHa/eRO8PKaNScGuFJj8CNGSD10cT5KI73doLv5UHcELVej09w6bxYV29udG8y68q/aMeahNppqHwQ9DGeYlEqfhWk4mIXOKrbstAQxof10eI/1eZkhv89UVXj/hcFWb6GXOnj7TDf3la7yHV1wd3w8mjfgc/VlvbUWbjZFVYBGnma3mEGVZS4B7547uHZn3J/zt356D2fWjzb5GrDPRxygal+MhNmN6yYE+g9nEtt6lCicGWgwv0X9X2Za28cRgITOVg46F2Vi8eJnn9S0D1Uju2vU38vLSV1LlJCRQob/zT0NHnIPNi3UcnhJ5KmQlO3Dh9Mn2vAz3f7br3QQ=
Content-Type: multipart/alternative; boundary="_000_DS4PPFA08475C7DFED5E5771AEED2AA8E0CC1D5ADS4PPFA08475C7D_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS4PPFA08475C7D.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2de826e2-ed96-45d6-e082-08de2897b20c
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2025 00:48:32.5416 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1/4zbkcHvtnCjeezJgJOdRYxcFlcOXoXR1HIN7sGbYemo5tMoX5DAaQ+NNAx5zwcdT4KLWjl08laTA/2fZu8OQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR11MB7730
X-Outbound-SMTP-Client: 72.163.7.162, rcdn-opgw-1.cisco.com
X-Outbound-Node: alln-l-core-08.cisco.com
Message-ID-Hash: 3IILXNSVMBIIEVILAMJJ4EMUOIIRTQVR
X-Message-ID-Hash: 3IILXNSVMBIIEVILAMJJ4EMUOIIRTQVR
X-MailFrom: sfluhrer@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Marc Penninga <marc@kavula.fi>, "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Latest version of draft-sfluhrer-cfrg-ml-kem-security-considerations
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EWYh6kCipa9b0r5EwSr5NsseVXI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
See SRF inline ________________________________ From: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org> Sent: Thursday, November 20, 2025 6:25 PM To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> Cc: Marc Penninga <marc@kavula.fi>; cfrg@irtf.org <cfrg@irtf.org> Subject: Re: [CFRG] Re: Latest version of draft-sfluhrer-cfrg-ml-kem-security-considerations Hi Scott, thanks for this doc, it looks really useful. A few questions to discuss, happy to make them into a pull request if we agree: > One common misunderstanding of the term KEM is the expectation that > Bob freely chooses the shared secret, and encrypts that when sending > to Alice. While there do exist KEMs where this is true, this is not > true for ML-KEM. I think the question of whether Bob can choose the shared secret is at least partially a question of definition and API. While there are KEM constructions that allow for such a choice, by definition, a KEM would never export this ability to the caller. I don't know if this statement just adds confusion, given that mathematically, we wouldn't call a primitive that allows choosing the shared secret a KEM, but a PKE. SRF: Well, a properly implemented KEM wouldn't allow the application to select the shared secret. However, there may be a concern that a bogus version of the application and the crypto engine would select a shared secret that would be known to some equipment in the middle. Now, there's a few reasons why this might not be a real concern; both that such an application could just export the shared secret over the wire (or just use guessable entropy, which would have the same effect), and also the draft is about ML-KEM, where this isn't an issue in the first place. I did want to mention it, as I have heard about the general misunderstanding from several people. > Notably, this means a > public key can be 'poisoned' such that a future adversary can recover > the private key even though it will appear correct in normal usage. I don't think this attack is possible in ML-KEM, at least not without also changing the private key (otherwise the attacker could always just use the poisoned public key for encapsulation). The FO transform catches this type of problem and rejects, (especially since the true public key is hashed into the randomness), so a poisoned public key would not result in a successful encapsulation, and never leak private key bytes. A poisoned public key could allow an attacker to recover the encapsulator's random seed, but a MitM attack would have the same effect, and one property of the FO transform is that the decapsulating party always learns the entire state of the encapsulating party. On the misbinding: One other result of Kemmy Schmidt is that ML-KEM does have very strong binding properties when using seeds or when using any other threat model than that of a malicious attacker, to the point that I would consider misbinding attacks almost as an issue that is unlikely to be a concern. SRF: I am in total agreement about these misbinding attacks - if the adversay can control the private key, why do we assume we have any security at all? If this draft were totally up to me (well, at the moment, it really is, but I hope it'll be up to the RG soon), I'd either get rid of this text or move it into the 'things you shouldn't worry about' section. On the other hand, Deirdre Connolly feels strongly about this - I consider the current text as a political compromise. Oh, and as far as seeds go, I'm assuming that the people that this is written for (protocol designers and implementors) have no control over the internals of how ML-KEM is implemented, and so I try to avoid talking about such things. On Thu, Nov 20, 2025 at 7:56 AM Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote: I'll update the doc with these suggested changes. In the future, it would be helpful for me if people would just do pull requests ( https://github.com/sfluhrer/ml-kem-security-considerations ) ________________________________ From: Marc Penninga <marc@kavula.fi<mailto:marc@kavula.fi>> Sent: Thursday, November 20, 2025 7:56 AM To: cfrg@irtf.org<mailto:cfrg@irtf.org> <cfrg@irtf.org<mailto:cfrg@irtf.org>> Subject: [CFRG] Re: Latest version of draft-sfluhrer-cfrg-ml-kem-security-considerations Hi, I agree that having a document on the use of ML-KEM in protocols is valuable, and I think that the RG should adopt and publish this draft. The target audience that Scott outlined seems a good way to scope the document. Given the target audience, I think the document doesn't need to go deeper into binding issues than it currently does. While reading, I noted a few nits: - The second sentence of the Abstract ("This document discusses how to use ML-KEM and how to use it within protocols") contains "how to use" twice; I suggest "This document discusses how to use ML-KEM within protocols". - Introduction: the sentence "In ML-KEM is that randomness from both sides are used to contribute to the shared secret." should be "In ML-KEM, randomness from both sides contributes to the shared secret." - The eighth paragraph in section 4 ("The shared secret key for all three parameter sets ...") addresses usage, not security, and would fit better in the Introduction. Especially the remark that the shared secret key can be used directly as a symmetric key is valuable advice for the target audience and deserves a more prominent place in the document. - Wouldn't [ID.draft-ietf-hpke-pq](https://datatracker.ietf.org/doc/draft-ietf-hpke-pq/) be a better reference for the use of ML-KEM in HPKE than the expired and non-adopted [ID.draft-connolly-cfrg-hpke-mlkem]? Marc Penninga _______________________________________________ CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org> To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org> _______________________________________________ CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org> To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org> -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com<mailto:sschmieg@google.com>
- [CFRG] Latest version of draft-sfluhrer-cfrg-ml-k… Scott Fluhrer (sfluhrer)
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Thom Wiggers
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Scott Fluhrer (sfluhrer)
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Thom Wiggers
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Kris Kwiatkowski
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Marc Penninga
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Scott Fluhrer (sfluhrer)
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Sophie Schmieg
- [CFRG] Re: Latest version of draft-sfluhrer-cfrg-… Scott Fluhrer (sfluhrer)
- [CFRG] Fw: Re: Latest version of draft-sfluhrer-c… Daniel Shiu