IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

"D. J. Bernstein" <djb@cr.yp.to> Thu, 27 November 2025 11:04 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CE8A191A5003 for <tls@mail2.ietf.org>; Thu, 27 Nov 2025 03:04:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-HnTpwb7n0O for <tls@mail2.ietf.org>; Thu, 27 Nov 2025 03:04:04 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 9975991A4FA4 for <tls@ietf.org>; Thu, 27 Nov 2025 03:04:01 -0800 (PST)
Received: (qmail 3839286 invoked by uid 1010); 27 Nov 2025 11:04:00 -0000
Received: from unknown (unknown) by unknown with QMTP; 27 Nov 2025 11:04:00 -0000
Received: (qmail 410185 invoked by uid 1000); 27 Nov 2025 11:03:48 -0000
Date: Thu, 27 Nov 2025 11:03:48 -0000
Message-ID: <20251127110348.410183.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Mail-Followup-To: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
In-Reply-To: <aSdquOwZR8xKeVLt@akamai.com>
Message-ID-Hash: VGJKJYQQ4YREN5AOUW2YA5HVKFENLZVN
X-Message-ID-Hash: VGJKJYQQ4YREN5AOUW2YA5HVKFENLZVN
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7Ilc0xmC7IJakW4uPKnQFWY3q90>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Benjamin Kaduk writes:
> And I assume that the bit where ML-KEM-768 is approximately 3% faster than
> X25519 plus ML-KDM-768 is for a microbenchmark scenario where we are just doing
> key exchanges and nothing else, so may end up in the noise for some traffic
> patterns

I thought you were asking for the key-exchange timings?

I fully agree that applications are normally doing things other than key
exchange. Looking at current numbers shows that pervasive ECC usage is a
tiny part of total costs---which to me says that _of course_ we should
keep ECC unless and until there's an overwhelming case for removing it.

For example, in 2024, only about 1 out of every 2000 CPU cycles at Meta
was spent on ECC:

    https://web.archive.org/web/20250906094758/https://engineering.fb.com/2024/11/12/security/how-meta-built-large-scale-cryptographic-monitoring/

More precisely, what they said is that they spent "0.05%" of cycles on
"X25519 key exchange". This will be close to their total ECC cost, given
the very large fraction of TLS connections that use X25519:

    https://web.archive.org/web/20250317194150/https://mailarchive.ietf.org/arch/msg/tls/pQRDJ9MBwnmLHp86Zvs_CfYUFaY/
    https://web.archive.org/web/20250414193700/https://mailarchive.ietf.org/arch/msg/tls/vWAEg7E3jeLZjLABVaMVLR0flX4/
    https://web.archive.org/web/20250413183440/https://mailarchive.ietf.org/arch/msg/tls/lWh_uimMIgQ6SMV_BSkJDh34eQM/

I find it striking that they portrayed this tiny fraction of Meta's
overall costs as a big expense, with words such as "the sheer volume of
usage". I understand the perspective of a cryptographic engineer happily
saying something like "I saved the company a million dollars", but it's
important to ask whether a cost improvement is coming at the expense of
security. A security incident can easily cause the company vastly more
damage---even ignoring the broader societal damage beyond what companies
end up paying for. This is why, for example,

    https://www.forbes.com/sites/stevemorgan/2016/01/27/bank-of-americas-unlimited-cybersecurity-budget-sums-up-spending-plans-in-a-war-against-hackers/

reported the Bank of America CEO saying in 2015 that "the only place in
the company that didn't have a budget constraint was cybersecurity".

---D. J. Bernstein


===== NOTICES =====

This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)

v2.36.0 | Report a Bug | By Email | System Status