[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

David Adrian <davadria@umich.edu> Tue, 07 October 2025 18:54 UTC

MIME-Version: 1.0
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com> <CAMjbhoVcxTfppSrkC27F8uf9hKvqTDBsG_-dzGtWbjia5YhmXw@mail.gmail.com> <aOVWcf9JFllri-vG@netmeister.org> <87h5wapnqf.fsf@josefsson.org> <CACsn0cmfNvqjD4QVUa_EKexCFqix83_NWYsMu=Hru4U6T5DGgg@mail.gmail.com>
In-Reply-To: <CACsn0cmfNvqjD4QVUa_EKexCFqix83_NWYsMu=Hru4U6T5DGgg@mail.gmail.com>
From: David Adrian <davadria@umich.edu>
Date: Tue, 07 Oct 2025 11:53:53 -0700
Message-ID: <CACf5n7_+xSY8wU-Ci3on9Rhm8rn0UauEcdfjFs6MrKw7pmXHmw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008a9335064096178e"
Message-ID-Hash: KW6RFVKEIFWVHCD2IBV5RYSD44VGU4SE
CC: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, tls@ietf.org
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7JYmGZqVu7cuH7A3wN4_Yx_k9Pg>

I believe the document is ready for publication. I am fine publishing
as-is, or with a X25519MLKEM768 as a Recommended=Y. I have no opinions on
the other key agreements.



On Tue, Oct 7, 2025 at 11:44 AM Watson Ladd <watsonbladd@gmail.com> wrote:

> I haven't seen anyone say they don't want to see a Y by
> X25519MLKEM768. Since this is the widespread and adopted solution
> right now, we should do everything we can to encourage use, and punt
> on the harder question of what other hybrids to recommend.
>
> On Tue, Oct 7, 2025 at 11:32 AM Simon Josefsson
> <simon=40josefsson.org@dmarc.ietf.org> wrote:
> >
> > The discussion below suggests to me that X25519MLKEM768 is the running
> > code de-facto algorithm that ought to be on the Standards Track and
> > Recommended=Y and the other variants should be split off to a separate
> > Informational document with Recommended=N for niche usage.
> >
> > I believe generally that we need multiple PQ-safe hybrids as Standards
> > Track and MUST/Recommended algorithms for all our Internet security
> > protocols like TLS, SSH, etc, so I would encourage deployment of
> > additional PQ-safe hybrids for TLS.  Settling with X25519MLKEM768 only
> > is not the final solution.
> >
> > Mitigating algorithm profileration is a consideration, but security
> > heding is more important.  It would be nice to get X25519 combined with
> > FrodoKEM, Classic McEliece, SNTRU, and more deployed for TLS too, so we
> > have options.  I believe it makes more sense to add some other PQ KEM as
> > a StandardsTrack/MUST/Recommended than to have SecP256MLKEM768 there.
> > In fact, I would go further and say that we should progress two at the
> > same time, to not get into a single point of failure situation.
> >
> > /Simon
> >
> > Jan Schaumann <jschauma=40netmeister.org@dmarc.ietf.org> writes:
> >
> > > Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> wrote:
> > >> This is the breakdown of client support Cloudflare sees (relative to
> any PQ
> > >> support) in the last 24 hours by handshakes:
> > >>
> > >> 94% X25519MLKEM768
> > >> 8.1% X25519Kyber768
> > >> 0.038% MLKEM768
> > >> 0.014% CECPQ2
> > >> 0.012% MLKEM1024
> > >> 0.002% SecP384MLKEM1024
> > >> 0.002% SecP256MLKEM768
> > >> 0.00005% MLKEM512
> > >> 0.0000003% SecP256Kyber768
> > >
> > > [...]
> > >
> > >> I can see an argument for Recommended=Y for both X25519MLKEM768 and
> > >> SecP384MLKEM1024, but I do not see any value in recommending both
> > >> X25519MLKEM768 and SecP256MLKEM768.
> > >
> > > On the flip side, and as just some data points here, I
> > > recently did a check[1] of which sites/providers offer
> > > PQC, and what key groups they support.  Not
> > > surprisingly, it's almost all (and _only_)
> > > X25519MLKEM768.
> > >
> > > Amazon Cloudfront (as pretty much the only large
> > > service provider) offers SecP256r1MLKEM768.
> > >
> > > This is not surprising: AFAICT, the browsers only
> > > support X25519MLKEM768.  If no servers offer anything
> > > else, then browsers have no incentive to implement
> > > other key groups; if no browsers offer other
> > > keygroups, then servers have no incentive to offer
> > > them.
> > >
> > > -Jan
> > >
> > > [1] https://www.netmeister.org/blog/pqc-use-2025-09.html
> > >
> > > _______________________________________________
> > > TLS mailing list -- tls@ietf.org
> > > To unsubscribe send an email to tls-leave@ietf.org
> > _______________________________________________
> > TLS mailing list -- tls@ietf.org
> > To unsubscribe send an email to tls-leave@ietf.org
>
>
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… David Adrian
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
[TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
[TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: [External] Re: Working Group Last Call … John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
[TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
[TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey