IETF Logo Mail Archive

[TLS] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem"

Nico Williams <nico@cryptonector.com> Tue, 07 April 2026 15:05 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 55F39D785214 for <tls@mail2.ietf.org>; Tue, 7 Apr 2026 08:05:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775574306; bh=rq0NhdJP4BZgy16xQ2tj1tO1Sh7bsVmgNE0/xbA8k1Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=zN2JWf4ONGxfF9wslDVpBiqhOhurQiwQ7bMIwZHvWQLmJqgZ7kmCKkOZiEW88e3Jg BMB+DR7drsDAf3byI49dfVH9VX+juf53VZ30zh/8qCpt3eT7y9UMi6gwDpAp6C0yXZ vty+4+89oO/TIhSLjUqJAlDHPG3cMPtBIdrsW3Mc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOW5e_VmbeWX for <tls@mail2.ietf.org>; Tue, 7 Apr 2026 08:05:05 -0700 (PDT)
Received: from toucan.tulip.relay.mailchannels.net (toucan.tulip.relay.mailchannels.net [23.83.218.254]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B4431D783E58 for <tls@ietf.org>; Tue, 7 Apr 2026 08:02:56 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 649AC7E1DF6; Tue, 07 Apr 2026 15:02:50 +0000 (UTC)
Received: from pdx1-sub0-mail-a205.dreamhost.com (100-123-14-4.trex-nlb.outbound.svc.cluster.local [100.123.14.4]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id C48247E3211; Tue, 07 Apr 2026 15:02:49 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1775574169; b=PaiAgler9zp2yCJbsk4Ive6wR4FNcZZE4o/md2wTqFVXKfrxnM9r7K/SAnIbjqu9nO3YPg lY2nmNWyxWLCgarWZKB14bj8r6tyv57vNR+7Hm98NDM2t5CP0w/ZwgFzj7gx/pVC1UqxnV 1DSoFAHe1ptY+VwQe03QbhiX0MFQ7rG/0ppYHS7NWFDgKNn0PJxyPQXrZ/rX6QC+hLZbMY zXsRV1ERiutTewdcH2z8/Sf+jzNneODZLkX57+nzBsCQn0uW6uvHLbCgTizbORoLCQHyHT 5b/BiIhNYJtooOWNIUM+E5cT8cqUWfacDVXuiDVg9jJ3TK4jA5RErv9ImV8JgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1775574169; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=HhZqNXEbq85CiWI3xsAhmRyKpH4NT6CCDFVR/IhduXg=; b=gQZbSTmMLv3iCfev2m83rgEXfc2SizXcdmZH0JZXuSjxXgwTIS20JpYGWOgiAg9YZAZ5nj N3DN6LVU2qAQ+FVL/fxzJ/r7oZgW+etlxWnWS/kKE8kLsgdX9BJM2oM/crj6gU8DRG8v+G EAGuaMvvQhetZQRzmfoTF2t0aXGmIDu5iJSasBudARDYVGb4KETGKDIbvuDkEp4XkPhL7Y pBeLBUnooiPP/xTnOdBADdO+WbnGwud7H6+eY1CaqUf9RW9MzOS+7OHspAgYd103auSa0q uw3d0raYk5FLARIfecyXec32UD2+PSAxKjF3YOrojkbpGAayoVhWTjQbGa6+vA==
ARC-Authentication-Results: i=1; rspamd-7d86dcc447-qfzgz; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Relation-Plucky: 04394bd966e905c8_1775574170138_3455739177
X-MC-Loop-Signature: 1775574170137:1934057322
X-MC-Ingress-Time: 1775574170137
Received: from pdx1-sub0-mail-a205.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.14.4 (trex/7.1.5); Tue, 07 Apr 2026 15:02:50 +0000
Received: from ubby (unknown [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a205.dreamhost.com (Postfix) with ESMTPSA id 4fqqF503gbz1s; Tue, 7 Apr 2026 08:02:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1775574169; bh=HhZqNXEbq85CiWI3xsAhmRyKpH4NT6CCDFVR/IhduXg=; h=Date:From:To:Cc:Subject:Content-Type; b=GhXGXt7ACkhTWgbB/241Jjb+m2YLC9cvXiiBGtv8q7bBQ/UIdaPyYl9h4+1bDdY/x /fIUJJR4ptIxNqFY1CsYlL63vKiLv0AiKIqj6XCF8JgzUT9hbyrwQm4t33A6UiESNI 6P46q2de3i/Ny6tsJirMXdLrkupMme5qieIINKwZU/35kXDXiuot4x0bAbdr+DHUyE M3b08/HE+lkRc95QWpgVRETGEYxIw5gRvqkLz0xb7WTxiL06EkwZa9uhOgEZ+Pilm0 og99ypRdeEG9FfSmTLufgKPoiMVQziyWt3JdV51N4l2LZx2Va1gUZCUbPnMcXv0Nzl Y06iipZkCoR8w==
Date: Tue, 07 Apr 2026 10:02:46 -0500
From: Nico Williams <nico@cryptonector.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Message-ID: <adUclq83CGuH9YOM@ubby>
References: <59ADD91D-9A81-4DC5-A3B5-3D8C2747AB96@vigilsec.com> <3d933b83-2b0a-40ac-80b9-dd2cc15b4766@tu-dresden.de> <903E494F-9C92-45C9-ADB2-96456A88AF91@vigilsec.com> <dbf63a1c-f1e0-480e-90a5-67f74b661267@tu-dresden.de> <adQkkfDWpMYySub0@ubby> <60167faa-c4bd-4397-988d-8b226a73b705@tu-dresden.de> <adQ2C/gPwGutLSux@ubby> <5d3aba60-d52d-4408-a5a2-b1c8bd3a6c8d@tu-dresden.de> <adROgdd2QYDRIhDA@ubby> <b55845fe-024e-4dda-b8ce-0e6ba99ad5ea@tu-dresden.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <b55845fe-024e-4dda-b8ce-0e6ba99ad5ea@tu-dresden.de>
Message-ID-Hash: XZZH5JUKQARWHWUDCXZ62XLY2OYHPTK3
X-Message-ID-Hash: XZZH5JUKQARWHWUDCXZ62XLY2OYHPTK3
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1Cj_Jb7eh9LVyIh42jyWcQD3IiU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, Apr 07, 2026 at 11:59:45AM +0200, Muhammad Usama Sardar wrote:
> Thanks Nico for sharing your insights. I think this is useful discussion and
> might help us make some use case for pure ML-KEM.
> 
> To be on the same page, framing the problem for clean discussion. Could you
> please clarify which one of the following did you mean?
> 
>    Outer TLS: Network layer: use pure ML-KEM
> 
>    Inner TLS: Application layer: use ML-KEM + ECDHE

This one.  Remember, the two layers are effectively independent.  If you
want to protect against CRQCs your options will be pure PQ or hybrid PQ,
and here IEEE seems to want pure PQ while we seem to want hybrid PQ,
thus it's this picture above.

(Except the "outer TLS" is only for negotiation of keys.  The actual
packets are not encrypted using TLS but something else more akin to
DTLS.)

> OR
> 
>    Outer TLS: Network layer: use pure ML-KEM
> 
>    Inner TLS: Application layer: use ECDHE

Not this one.

> What I still find confusing in both cases is that if outer TLS is
> long-lived, then performance benefit of pure ML-KEM (vs. ML-KEM + ECDHE)
> should not be a valid argument. That is even if I accept that the
> performance impact of ECDHE is significant, it is just one-time
> bootstrapping cost for a connection that will be lasting for long-term. What
> am I missing?

I agree, it's the app that will be doing more key exchanges, thus the
app that would benefite from pure PQ performance-wise.  The question for
you is: should we, and _can_ we dictate the choice of hybrid or pure PQ
for 802.11x?  I think the answer to that is no -- we should advise the
IEEE, but they can do as they please.

Nico
--

v2.40.4 | Report a Bug | By Email | System Status