IETF Logo Mail Archive

[TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3

Andrew Lee <andrew@joseon.com> Fri, 05 June 2026 17:57 UTC

Return-Path: <andrew@joseon.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 30F4FFBDAF6E for <tls@mail2.ietf.org>; Fri, 5 Jun 2026 10:57:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780682252; bh=5gYrBfnFiimoy0VpvoPL6QDerV4leIRt+My4nauIxgc=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=xojLmLfXUYkdEALHo/+VVQuaCtwRkLHInZztZoTJtRa2f1zhFHtBCuXDccSjn9fZx 4aZ979N80Z9KCVy/X6ewVW82tJrvY9/vCOekazZ5hCCzorObBFcIr6gjj5tf0OYKR2 p2f9is78FU1L8TAQvhJR5vBbEW2ejJgtqCgby0F8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=joseon-com.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrZD36wpls79 for <tls@mail2.ietf.org>; Fri, 5 Jun 2026 10:57:31 -0700 (PDT)
Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6C212FBDA40C for <tls@ietf.org>; Fri, 5 Jun 2026 10:55:45 -0700 (PDT)
Received: by mail-oi1-x236.google.com with SMTP id 5614622812f47-4864aea1316so1224110b6e.2 for <tls@ietf.org>; Fri, 05 Jun 2026 10:55:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joseon-com.20251104.gappssmtp.com; s=20251104; t=1780682139; x=1781286939; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=5SYBEzq3/pEJ3fMIFtNn2bovdXnVDXOhDkp9jJH+evM=; b=LeZMSrDHI1r4mvuU1+l10/Jhg0JKsOujEJ4Y50xDOOJ1rmWcGonRuN3GBm7nCOQuyS V7h1QrDNbLkfrGM8eq92fj+hQihlh/+pHHz7iL2Z4wA53b2Wc4fhTRGXSDqzyDQ8lXp4 NzL7aKaSOvhNOkNXF5Ozkz45Ltzdta1FojML2jfOym2g7ARJ8uiq6tgicraWekbLEIPr ZqparuEWuANubI2FOkeO1mrQKvcoSVoIO1KaTBOZaZWzze0vcjBNFnedCNEnS6R+dxNE P8mfp8OQ+KGXcYN4YFacg+afaOPbyRUa9FmY+MGBGEMLFyAmsVjNBuC5VufTxixyNNyW NtPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780682139; x=1781286939; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5SYBEzq3/pEJ3fMIFtNn2bovdXnVDXOhDkp9jJH+evM=; b=scn3tBCLC0dRmdf6gYmeqsS9ISs0BcPaa4wpye7FZ8Sj/9ObQAK/sWwJ8c+M0vU1Qd JhLPGRAdQZ00QDxV1jdDa9SKHg8XtVW3rJ9fueM+dK2J7SSEAYRqnclQL1PG8E45zdKo 4adGMBJ5TiSmx+vTJL25P13iDQ38sPztI8+zYgP0d5UuJWt+oyGRkKmfrkxStlMOvqec 0IL7s4l2u00hfK4iD2R5yXlY0BXT/IkJGHN/IQY+J5gD/oRC8y7PG+1pz/mcJjH3uI4+ jtlwzi1sJZbpp8yCZ8/ddsr3X1nGXbjQ9Eas127Vi3W8eaJf2UTzf/thL8wfmB4lYPkB xxQg==
X-Forwarded-Encrypted: i=1; AFNElJ8ukiG9VnRRbNXi1KCzc1v6mAzf45R/K8VwHeT6iz1zWtme29CkAMaZyiEYUG8tmg0qRdA=@ietf.org
X-Gm-Message-State: AOJu0YwARdwHuYmScpCDkvMgU9dRV69dkFArjsPPSNqrW1cYonK8QT0a iFh18mRIbyAkCLMjqtr3RsBu7b02Lss8kDw1h8206Nxea9a9/LEhdCp7Eb54YHMCfRI=
X-Gm-Gg: Acq92OHhNg4KOUmf+bwAcXf1LYX9mpnh6GD58fual9vBWSu4bgOgfoVW4ySqKuP9LMn geGGoEE7h8psLDFI8SSJBxLysZNID5H8iQTmFzf8U+xg4Ml3YmlboJVojk6IKUBet46eW3+DQ75 P8KuRPusBhxbE9P5urkeTHI9RCGzF7jO/hp7Bsvk79SDK8u8g9WqTMuSpiiUcn90lYlKe/ucoMW QiSvIlDiHvPSRgpP22RU4ZRlfaGsurNhZAENCyQvoDS7v2f6S86wINee5ijCB54gESXJzB+4W8A Q6dj0mRF0/ZKQnGVRpFKdXQoxJWS3IZhijAtwBlltKbeqwBGpJdW+cpgQlnZBIToEA6LCSx7ubK ++iuWUsLVmbH1vMSBxSLBVEJzwIWIbYpEEmHZWKxJ/fBJcoRme1q98ANlFEc0jsDoUwgcPf6Hw6 5GYt42pmcrnxiWoBYasC34POT5KDZvGlNBOLF6iGIsh1q5jZKNVb5zmKHXxqW2qWgvId5CK8ajv /uElpv3UvCvjmM=
X-Received: by 2002:a05:6808:1806:b0:479:e686:531c with SMTP id 5614622812f47-4868ddc6e49mr2797526b6e.12.1780682138637; Fri, 05 Jun 2026 10:55:38 -0700 (PDT)
Received: from smtpclient.apple ([192.69.242.2]) by smtp.gmail.com with ESMTPSA id 5614622812f47-4865b745773sm7697149b6e.6.2026.06.05.10.55.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 10:55:37 -0700 (PDT)
From: Andrew Lee <andrew@joseon.com>
Message-Id: <154E6BD1-8F60-4E84-930D-751A812840C8@joseon.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0F9CDD7A-3586-47C3-9D21-FEB7D8F86E79"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3818.100.11.1.3\))
Date: Fri, 05 Jun 2026 10:55:26 -0700
In-Reply-To: <MN2PR17MB40310B7FDC1875D16334B680CD102@MN2PR17MB4031.namprd17.prod.outlook.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
References: <E3248C6C-F41D-4697-B484-5DD3B3F03893@symbolic.software> <cec4e220-0842-486d-9c69-ddaf37260da4@tu-dresden.de> <MN2PR17MB40310B7FDC1875D16334B680CD102@MN2PR17MB4031.namprd17.prod.outlook.com>
X-Mailer: Apple Mail (2.3818.100.11.1.3)
Message-ID-Hash: ZCCE3Z7HZMRUHM6YAWSNZK5OCBQ2LKOX
X-Message-ID-Hash: ZCCE3Z7HZMRUHM6YAWSNZK5OCBQ2LKOX
X-MailFrom: andrew@joseon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Nadim Kobeissi <nadim@symbolic.software>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2xUaL_NTqi4Mdnx0MpLlokjPmcw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> On Jun 4, 2026, at 1:21 PM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
> 
> we add a statement on preference of hybrids and refer to the paper in the security considerations of draft-ietf-tls-mlkem.
> We already do that by marking the hybrid as RECOMMENDED=Y and the pure-ML-KEM as RECOMMENDED=N
> 

This happened after a significant amount of time and was deliberately steered toward the opposite of said result before fury from outside of the list (the greater internet) helped bring accountability to those who had hoped for ML-KEM standalone. Interestingly, despite the availability of scientific methods to identify the best path forward, as proven by Dr. Kobeissi in this thread, there was no interest in treading this path prior to making dangerous recommendations to the populace.

While things turned out for the better in this case, thanks to Dr. Bernstein and Dr. Kobeissi, and several other members here [1] who were willing to speak up and go against the “false consensus,” [2] we cannot rely on a few heroes to protect the global populace in the future.

It may seem like we achieved a “win” here and even feel at peace and wish to rest; this is not that time. Let’s not sweep this under the rug.  Consensus is broken in a way that allows bad actors to push questionable security standards which makes every person in the world vulnerable.

The IETF’s organization, and procedures therein, needs a serious refactor.

Examples:

1) Consensus was declared by chairs although the overall group consensus was that consensus hadn’t yet been achieved.
2) IETF Chairs are participating in Lord of Flies style Piggy character assassination on social media while pretending to be “unbiased” and “mature."

All of this said, the one thing that brings me solace is that it’s now customary procedure in the IETF to perform verifications on things of this nature, and any push for adoption, prior to, will absolutely be a signal for nefarious activity going forward.

It would be a strong signal should the WG adopt this new custom as a standard, go forward, requiring formal/symbolic analysis prior to making any recommendations.


[1] Thank you as well, Mr. Salz, sir, for all of your work foremost, and also for your vote toward hybrid.
[2] There were most certainly bad actors [3] who voted for non-hybrid, while some were likely not paying enough attention or perhaps misinformed/under-briefed.
[3] People (or paid agents of some kind and from some state) working to undermine global security.

v2.46.0 | Report a Bug | By Email | System Status