[CFRG] Re: PQ KEM Security Considerations

Songbo Bu <king347608@gmail.com> Tue, 23 June 2026 01:45 UTC

Return-Path: <king347608@gmail.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A892D1057A6CE for <cfrg@mail2.ietf.org>; Mon, 22 Jun 2026 18:45:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782179101; bh=N3Kg+LuJ6v0PUl67dLMu9TVtcHdCB3LgJg5jc2YKTr8=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=kcaljXa+EcEYRx9piumW8+/8Jpty0ClZYcRLJQA/C4n86XVfByO6432NyvOAecpRA Dd8W6scxPmfiVOJWKkGMjvUo3lyB8Hl4UK095H6cU8hWJ/K3f2fo6PO42Cz79Pd3YX id+Y3WjoRF1tD+98cJGKKl/54/zLJIETttleycFk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dooryeQVjByl for <cfrg@mail2.ietf.org>; Mon, 22 Jun 2026 18:45:01 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3F8CC1057A6C7 for <cfrg@irtf.org>; Mon, 22 Jun 2026 18:45:01 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-8dc09919aa2so83867876d6.3 for <cfrg@irtf.org>; Mon, 22 Jun 2026 18:45:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782179095; cv=none; d=google.com; s=arc-20240605; b=T/Xqw7NTZ7euVzejodKRC/KRINA4Mi6eGFb18Zbq6WAmoXlwAe5g7xn4z/qW9PkWs7 rHx/EdWtyhwmzcV55/j2/jSqw8Pj6efRr9uzhawhN3HHkK5thoZR5MQB2y5Meej94vYm gvqQTJDncPB+OTYSpGQb62i4mpBuKfNygcKinZ0yd3VzG2gUSOXynMPDrze9TNCKQBvm Q+LUXyZ36GoT2RaEYnSYF4vTnM7kCWyqQFKSGQm/x4bWdc2qVelvOo9rwxAGPeL6Ff5v Sw0DmoSG4crRz7dD44HwifqdWJBYqDp8EsH2DLjX0bPy6bdHmpvA2ai23OrrujQoLNt/ DXAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=715Iov24VsOgdlO8BQpc+jWr9y6/I6x77MfmRjcgO+8=; fh=Pj93oHW9q9w5YKy33d+ryTg7o9YXUht63PtK2nHWP5w=; b=JmuxGpk7+kNJdw6mz2a0XepxOnuOqLh46cSe4VTjQbKT4V/YhkCXfuSq7IQGTFyCAT fBgTU3c9ttuci+PdiJuCq6saIb9sCgykX+bbXea235JXsh59OO7w4gLdnQuTWT2qJ5+c uFDGC+C/YRGo+I+yPEJfsfSDHkZdNImjuKFwcgDlcEF1MsqU0almcyCnm8jdR1h45xyP jl/iDOgXBiPXhtRGS1Y0DTDOLpdeNDu0/e9toTITDQOJVR6f48fsNZDECdnT+TTuv7GD steVO9ktt+cNow7VzMMhAY0tcm+L05PT35WbaGA1Lvs2bJsWutwR0h4HW1p42LyhEsFx g+jQ==; darn=irtf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782179095; x=1782783895; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=715Iov24VsOgdlO8BQpc+jWr9y6/I6x77MfmRjcgO+8=; b=QcOPsidCM3VS/UsyEdbYTRiSzWIFP+eBmuQTh16kdsmD3apmHVWUimMW8PHjOBKvQI ilIdSKRqLqIzdXaTCSpyX7hJuRoCJ07djc3VYQ5CDnvCt2Lcpi970dd5WKW2In9XghyJ BthRSPNUihjn3AdXGktjWRYKhA9LhoyJxhF76BJw4uzWN0uOkhLumP87MeLiwpnMg0Kg Kvqz+IPwbAw5yzDq/qUJfHaoYCz8CLunsYqiTqA0rm3SMsJfv+tNQn3wizGyN81tBgim RECSv2GpKC6OkDqiN+n0kB9csQGhhN6sI9ihdKG4s69wuYBM3VHfDElyJSBmce00Mu5S CQuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782179095; x=1782783895; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=715Iov24VsOgdlO8BQpc+jWr9y6/I6x77MfmRjcgO+8=; b=pV4oqdRPnnh+2fcix/IdR7auByTdiaWhHVB46fCuz/djyHEJwHxwAJLcLawvHhzlWO 8nh9Mpo0g53syQblZi84EBxbaatbzggjo1V+mbuWWsl/4ktKxuXLiNGLfk8xR2t95Vi/ QayuxrkNBzj8QzvcS8Kalj7HcTPGAiKkkJSM1CxfSZ/4hn0/jM7E1bBbQPZqxW7ktAdK D2nNXb0uAtiA+BXyoLHF32EsiFn8i1y/Via7c1Qw3p7001Ofpzz+P05JiujOLW7P+4Pd kFrFJR1hCQdsm1s25NuGoSvv049+TVoG4Xb3yeomEOa8f3QBgWvheTh6URfw+awDaVXH s7GQ==
X-Gm-Message-State: AOJu0YyYB0/rdbK60GkuaUkaTYZLR6Zwn9QHh+/3XZAVcbHyj2/ZZCpg kzMJTYTcSdyNHBczPBCi30/2QSWxRMJrKyn39Z37puXF7n/nc/hpjyCXOXAqNonu1wUlSybSS7m QMD6m+Ayfc8v2fkKUbeE7dTCr76dLeyUpoyBa
X-Gm-Gg: AfdE7cmx5c+utvC8744hGZg0CsD5LFcobmKd8DQFP7RzVv+zdk8nHbahS6tfTECPrLZ iPZVUZuJIz0qyYx1IkR0gf4dHsalAKd2z21xGV2bGYUbGSbeKVAISNMmcmjnaLMt2EOSE7rxQ9U xqYK9IzLA6QG7ocErpam6Aa8HrH64ga9mwPDvfMcMLgX4dRk3ecetRIX2l/hJ0tSrmKKSl4VgQR tHP4XrLNJFI5q0S4Au12nRTClpUzhFVKzvbarewzDteHaitPFd8AVkH8wny8ThI1zvZf5QnwPzb IwngvVjyyRa/KqvktduR4HrNZ2nIz79WpaMj
X-Received: by 2002:a05:6214:21a1:b0:8e0:4469:4284 with SMTP id 6a1803df08f44-8e43370098amr4778576d6.5.1782179094620; Mon, 22 Jun 2026 18:44:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAOjisRwyLy5Z2htFtq4hFUPrQWUzaxwKjWwTdHfPyximHeoaGQ@mail.gmail.com> <CAOjisRyVq+0EVNx1smAmE5XVmq_wXyhh3aDoWzxSTRPbsSc09g@mail.gmail.com> <f875fd55-59b9-4d27-812e-229a8574e665@tu-dresden.de>
In-Reply-To: <f875fd55-59b9-4d27-812e-229a8574e665@tu-dresden.de>
From: Songbo Bu <king347608@gmail.com>
Date: Tue, 23 Jun 2026 09:44:43 +0800
X-Gm-Features: AVVi8Cd6eHrbifUqNo5eLHWUkib_4ZcD1stFQmqFMTKQPE_z_bxuBodw31x03ZE
Message-ID: <CAK08nYYsvLvdcV0usf_ZTyhO7=9tNm9gWBbu0H_X-XOFOng-aQ@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000dc6f280654e1e70d"
Message-ID-Hash: OUHLTLBHFJABLPQHRKXLCG6CPSLSYV32
X-Message-ID-Hash: OUHLTLBHFJABLPQHRKXLCG6CPSLSYV32
X-MailFrom: king347608@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: PQ KEM Security Considerations
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eFi78XBFmnTocPhxvcv6FonaV8g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi Usama, Nick, all,

I think the distinction here is useful.

Section 5 of draft-usama-tls-risks-of-mlkem seems relevant as a
protocol-use and implementation-boundary input, rather than as a substitute
for a per-KEM cryptographic security-considerations document.

For the common checklist, I would find it helpful to keep those layers
separate:

   1. the KEM-level claim: specification, security notion, public review,
   parameter sets, and known cryptanalytic caveats;
   2. the protocol-use claim: which protocol inputs must be bound to the
   KEM result, such as negotiated group, transcript, role/context, and
   key-schedule input;
   3. the implementation-boundary claim: what must fail closed around
   parsing, malformed shares/ciphertexts, HRR or retry paths, downgrade
   behavior, and error reporting.

In TLS, the second and third layers are where a lot of implementation
mistakes become visible, even when the KEM-level statement is correct.

So I would support using the ML-KEM/TLS text as one input into the “how do
we safely use it?” part of the CFRG checklist, while keeping the actual
per-KEM safety document scoped to the algorithm and its assumptions.

If useful, I can help review the ML-KEM/TLS text against the common
criteria from an implementer/protocol-boundary perspective.

Best,
Songbo

On Mon, 22 Jun 2026 22:58:48 +0200, Muhammad Usama Sardar
muhammad_usama.sardar@tu-dresden.de wrote:

Hi all,

I did not submit a separate draft because as a non-cryptographer, I
don’t think I will be able to handle the revisions. Nevertheless, with
the help of several contributors, I summarized some security analysis of
ML-KEM [0] in my draft under review at ISE, which may be helpful in this
discussion. Sec. 5 [0] sort of answers the two questions at a high
level: is this safe to use? and how do we safely use it (in TLS)?

I hope to be understanding more from the cryptographers here.

I welcome any feedback.

Best regards,

-Usama

[0]
https://www.ietf.org/archive/id/draft-usama-tls-risks-of-mlkem-04.html#section-5