[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

Nadim Kobeissi <nadim@symbolic.software> Thu, 16 July 2026 10:40 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5F793117C014C for <tls@mail2.ietf.org>; Thu, 16 Jul 2026 03:40:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1784198432; bh=BiYAHg4fk4rNaPDoELdAwxyouDSZ5KD5Omdy2LdJMLY=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=zW08Ur3Jg5CUMUX4htsswkc30Lj5dM1GjBxwq9Yi5YF0C+/fLGYdE27hi3k/ZdqT/ kyd+c2rtzUKL9D9/lEZIXKAzeYODfazsExTczlcuoLhQLAshb6XX6FtLXf6o2g9O2+ KeqdnY601hOT9SLW6YXKGi4Re8QZBcWx59+e/bP4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="kwCHmPtS"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="iUeKmTnL"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDXijGpVMjg9 for <tls@mail2.ietf.org>; Thu, 16 Jul 2026 03:40:30 -0700 (PDT)
Received: from fhigh-a8-smtp.messagingengine.com (fhigh-a8-smtp.messagingengine.com [103.168.172.159]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id ADA43117C00DD for <tls@ietf.org>; Thu, 16 Jul 2026 03:40:28 -0700 (PDT)
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id 3D78B14000F8; Thu, 16 Jul 2026 06:40:22 -0400 (EDT)
Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-05.internal (MEProxy); Thu, 16 Jul 2026 06:40:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1784198422; x=1784284822; bh=2VREARiz/T5WGazqUW9eCdcpqgBElW9P1I9KE01Jb1c=; b= kwCHmPtSM9FNcqTZZQiCtfCdkjx/gsxJRZqkasZ9vmbsPiqH9DmRWnuYvc5YtC3G PUImnS4tBTgAhf0uaqUjzlJgQH424Kl7LbfCel9oo3hipjwdZyXTG3WGBFNJQxur SR5nD9qnj4aas0B7c4RBf50yrbmXzhtS993lwMVhWuCpkk0RVAA2R1vZ6BCfAyfk gHfrcPZbKvFiy2l5/du4/I/4X9qA3DwxqG/60sPJDLoa+6IIQ8CwmhFDp3erQxPo bsn0Lt3GdakH2ZFk36uJJ2TA0HkwSdVdHf+hBTtf1l/RH352xBv9YUrLSlBQ/HoV TiUBxIwU9Pa4ELQek/5tmQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1784198422; x=1784284822; bh=2VREARiz/T5WGazqUW9eCdcpqgBElW9P1I9 KE01Jb1c=; b=iUeKmTnLhVzj0WRwhV3RERWFVXrlkC9ib9Fr6IIRAvB3aPEh7sp D4/4r9CQSGJM/LboaOKwkszoE3fnnOK/W9npiL9xRB7BNvxdPkdMHE6bcgPG1rqF cK/6tgb7DClVNKbA1+QaRQ4RjbHsOWTA/cHW36JBRCBehSFhjLtKuOw+XHYR4fdH 0Mg34so/Uy50j1nZRoCXUMcx2WhGaw+zwfyBwNdz2p1M2uOB63la80NeYy8nP0B4 +ei5FvuusNUBnJLQE24NNWc5fxlbZDInw4f5m67WfUR3/B2o78OWr7wONT4pLx/o 09Hu5kY0ZhZtiAyezk9EbRkp7+csvNqXy0Q==
X-ME-Sender: <xms:FrVYamr3FByZz4pU6NbiWzFr9Uu_2V4B7dHwShm_UK_Nx-Y5XSNggQ> <xme:FrVYag-BmY4IoCBwk-oMOajUNLzAqUx-8fIz0G0ZOLG8r5IsF3pDBB8Qr9YxVHlzE k2mGz9AJSVRFQQW27eYPtm0WMqYf0vMtvGe0nSDPd9jAlbkFZBTKi4>
X-ME-Received: <xmr:FrVYat92IqxIzNW4ztVB8o_H6VDiOq04UYvAxs-9f_f3F80JYzA7u3SoaeQt_aRtInQ>
X-ME-Proxy-Cause: dmFkZTGdmGk0lDk1/y4iIvHAyOsJPZMsb2+odhT4O9WlVmABNCTS6Qv+T/tAZ7RMT3WZlF pfy+E7Lkj5vHYO+NLdX5ThboDcwuFVvqeLYqyXUSzLcXtGNesZnAEDMVD0DOEfOXyIkgfQ l9BaZoTmx4OxmMI4OCRuv7Q3M64+u/TLHazeEya1HeymRXcMmpXYvITyMwMk4G4QTieZgk 01pbzDJxW54l2w4SuuWvrD8Q8IPBfbBslXuybrudWLrs4ipnT97v/yN74ZznQlCs+TEhvB wU18Wz2+atD6J/ZVZY0z/WZeb0VM2Vs8L8wqXUO5CGrFReI16auNUUk4xYbQPEKSpGhkji 1CG9cTqil4KMTFaxN0c3xPRJ+TmWkXtxK1SyCA1MTzQZBtkQYoOQJC9iNLzfzPy+5qpvWp oEgWKt3xjHqGPtZZL4hLME81TrvD+bUfhXL9lqk0PTdaHcV2s7tIOQ9B3ei2V1B1Q7Op3U WpdlbkZMi27pcXLcOId8MHksINUeVQ7tEx5hTOxaZDlZjAB94CkIYQ42bHSBgGkTi6XYZT UsKUjjuwaxNAnvlRGrkycQZEUR/mlRZE1KJGWCXwnurXofs0lvYltadUAXcP0hJJfZhF/E Etqs6zZCHlAWxQbj+l2DaV5J2hgDyi/9wkIRMXcNopTOqHQHiyyH0DnPS2ug
X-ME-Proxy: <xmx:FrVYanuWoBFCDrDNTPqt-xp1i0tq5DJH8amUoUhaQVc6bwexiMgFNA> <xmx:FrVYaoqKP2ARjlzJPqge9LqbjhRUI6r-e7TWWQ6nm_coGugrZf7Ytg> <xmx:FrVYaslBmJwurOmutDGCGakd3v6UWiJp7Ihn22g7yvTBUX_bQSLbeA> <xmx:FrVYakwWAVVueYX43iuia3qyqAgIZYLZvoMeLS5XTZEQrlblhMGYmg> <xmx:FrVYapVgbxdVwIMg5fT1W7N6AlhxHOjfCXs2XVk5qmJtDkcCc0ShOq3e>
Feedback-ID: i6d3949ed:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 16 Jul 2026 06:40:21 -0400 (EDT)
From: Nadim Kobeissi <nadim@symbolic.software>
Message-Id: <4F76363D-3E24-41E8-9D45-8434C5352664@symbolic.software>
Content-Type: multipart/alternative; boundary="Apple-Mail=_58196216-1DC2-4069-925D-5A23DE22B04B"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\))
Date: Thu, 16 Jul 2026 13:40:19 +0300
In-Reply-To: <e1690372-4167-4407-af52-98e462ea009d@appelbaum.net>
To: Jacob Appelbaum <jacob@appelbaum.net>
References: <92e0e621-8efa-4e8d-a7ea-4183981616b9@streamsec.se> <0e91ce21-028a-438d-9ea8-a416d3d393ee@appelbaum.net> <78945c98-373b-4041-84fc-79689d4b67f1@streamsec.se> <70756c21-7ecc-4f83-89ee-db9a69331a0f@appelbaum.net> <655d7b49-e099-40a5-a04c-546a54d6ce57@streamsec.se> <6d3bb45c-4bf0-43b9-a9e8-7e4632eebe94@appelbaum.net> <CA+iU_qn0XUYY8MEgyEOZuNt=bsHoBd1kKOjyNuFAjVOYG8FoPw@mail.gmail.com> <AS4PR07MB8825C6262BD443833F31A2D089FB2@AS4PR07MB8825.eurprd07.prod.outlook.com> <9f8ca8d5-c6f8-4c17-bc0f-e383c8f8e0d2@amongbytes.com> <CAFN1edp0=Yy5fpfRaPDEQFNNJCFYc40BGKX+YQ60yGSm5YVOzw@mail.gmail.com> <alOtqkD-ReSBeRzE@chardros.imrryr.org> <5b489b67-bc71-459c-bef8-8758dec2b3b0@appelbaum.net> <10c57c2e-a522-d654-7b3b-88522aefaa18@nohats.ca> <8b4142ef-8136-45de-adb4-3c25da4df411@appelbaum.net> <3c98fb1d-f839-fa9a-7bbb-47d436a77241@nohats.ca> <e1690372-4167-4407-af52-98e462ea009d@appelbaum.net>
X-Mailer: Apple Mail (2.3864.600.51.1.1)
Message-ID-Hash: T2465NC247DHQJWBDQAAWADBSVNMD3HF
X-Message-ID-Hash: T2465NC247DHQJWBDQAAWADBSVNMD3HF
X-MailFrom: nadim@symbolic.software
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7e_76QV0-KmRaM4WtVewjO84oOo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Jacob writes:

> Fair enough. Here is a start on a minimal list I think the text needs to
> cover:
> 
> - cite the third-round Kyber submission;
> - cite FIPS 203 Appendix C, where NIST documents removing `m <- H(m)`;
> - state the FIPS 203 approved-RBG requirement;
> - state that `m` is recovered by the decapsulating peer;
> - recommend restoring Kyber's hashing of `m` as defense in depth against
>  hidden-structure RBG failures;
> - cite Dual_EC_DRBG as the public standardized example.
> - quote the relevant part(s) of FIPS 203 C.1
> 
> I can turn that into concrete PR text. Before doing that, I would like
> to understand whether the WG is open to text at this level of
> specificity, or whether the only text people are willing to consider is
> a generic RNG sentence. If the generic sentence is the only thing on
> offer, I would request someone else draft it and I am happy to give
> feedback.

This is incredibly unreasonable to the point of being disruptive. You are basically demanding that the IETF undermine the entire point of NIST standardization, on top of all your baseless insinuations about personal motivations of those who disagree with you and your unreasonable threat modeling when thinking about the entire question of `m` in ML-KEM and sources of randomness.

At what point does this become pure concern trolling? I regret even making the effort to catch up on these discussions.

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 15 Jul 2026, at 5:25 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
> 
> Hi Paul,
> 
> On 7/14/26 03:17, Paul Wouters wrote:
>> The draft does not define crypto, it normatively references some crypto. It cannot both normatively reference it and modify it to make its own.
> 
> I do not think that follows and while it does not define the code point,
> it does define how the cryptography is used in TLS including Security
> Considerations. A TLS draft can normatively reference FIPS
> 203 and still explain the relevant assumptions and tradeoffs in Security
> Considerations.
> 
> FIPS 203 Appendix C itself documents that Kyber originally hashed `m`
> and that NIST removed that step because ML-KEM requires approved
> randomness generation. The TLS draft should say that plainly.
> 
> Namely, quote the entirety of C.1:
> ```
> C.1 Differences Between CRYSTALS-Kyber and FIPS 203 Initial Pub-
> lic Draft
> • In the third-round specification [4], the shared secret key was
> treated as a variable-length
> value whose length depended on how it would be used in the relevant
> application. In this
> specification, the length of the shared secret key is fixed to 256 bits.
> It can be used directly
> in applications as a symmetric key, or symmetric keys can be derived
> from it, as specified
> in Section 3.3.
> • The ML-KEM.Encaps and ML-KEM.Decaps algorithms in this specification
> use a different
> variant of the Fujisaki-Okamoto transform (see [24, 25]) than the third-
> round specifica-
> tion [4]. Specifically, ML-KEM.Encaps no longer includes a hash of the
> ciphertext in the
> derivation of the shared secret, and ML-KEM.Decaps has been adjusted to
> match this
> change.
> • In the third-round specification [4], the initial randomness 𝑚 in the
> ML-KEM.Encaps algo-
> rithm was first hashed before being used. Specifically, between lines 1
> and 2 in Algorithm
> 20, there was an additional step that performed the operation 𝑚 ← 𝐻(𝑚).
> The purpose
> of this step was to safeguard against the use of flawed randomness
> generation processes.
> As this standard requires the use of NIST-approved randomness
> generation, this step is
> unnecessary and is not performed in ML-KEM.
> • This specification includes explicit input checking steps that were
> not part of the third-round
> specification [4]. For example, ML-KEM.Encaps requires that the byte
> array containing the
> encapsulation key correctly decodes to an array of integers modulo 𝑞
> without any modular
> reductions.
> ```
> 
> Alternatively highlight this part of C.1 from FIPS 203:
> ```
> • In the third-round specification [4], the initial randomness 𝑚 in the
> ML-KEM.Encaps algorithm was first hashed before being used.
> Specifically, between lines 1 and 2 in Algorithm 20, there was an
> additional step that performed the operation 𝑚 ← 𝐻(𝑚).
> The purpose of this step was to safeguard against the use of flawed
> randomness generation processes.
> As this standard requires the use of NIST-approved randomness
> generation, this step is unnecessary and is not performed in ML-KEM.
> ```
> 
> Then I would suggest describing the total set of requirements from
> FIPS203 or giving advice that `𝑚 ← 𝐻(𝑚)` should be used if the NIST-
> approved randomness generation requirement is not met. I would also
> probably want to say that this change by NIST is not robust against a
> failure of their DRBG, nor is it robust against providing an oracle, the
> m-oracle, I suppose which may be queries over TLS and/or used to sample
> the DRBG outputs directly.
> 
>> The IETF cannot modify things that are an external normative reference. MLKEM is what NIST defined, not what you are trying to build now.
> 
> I am not asking the draft to pretend that NIST defined something else. I
> am asking the draft to document the consequence of what NIST defined:
> without the approved-RBG assumption, the rationale for removing Kyber's
> hash over `m` no longer holds.
> 
> If the draft does not restore `m <- H(m)`, then it should at least state
> the FIPS 203 approved-RBG requirement and the fact that `m` is recovered
> by the decapsulating peer.
> 
> This matters in practice. Many implementations will use `os.urandom`,
> `/dev/urandom`, `/dev/random`, `/dev/hwrng`, `getentropy()`,
> `getrandom()`, or another platform or library interface. Those may be
> excellent choices in a well-designed system, but they are not
> automatically the same thing as a NIST-approved RBG satisfying the FIPS
> 203 condition used to justify removing the hash.
> 
> One way to make the dependency clear is to think of the real requirement
> as something closer to:
> 
> - ML-KEM-512-Hash_DRBG
> - ML-KEM-512-HMAC_DRBG
> - ML-KEM-512-CTR_DRBG
> - ML-KEM-768-Hash_DRBG
> - ML-KEM-768-HMAC_DRBG
> - ML-KEM-768-CTR_DRBG
> - ML-KEM-1024-Hash_DRBG
> - ML-KEM-1024-HMAC_DRBG
> - ML-KEM-1024-CTR_DRBG
> 
> Listing that is a concrete suggestion for the text but I do not feel
> strongly about where it goes in the text.
> 
> These are shorthand examples names and I am not suggesting new algorithm
> names. The point is that FIPS 203 relies on an approved RBG of
> appropriate strength. If an implementation omits that part, the reason
> NIST gave for removing Kyber's hash over `m` no longer applies.
> 
>> This answer circles the answer by not distinguishing between the RNG issue and any other issues. You still did not answer the question.
> 
> My answer is: not as-is.
> 
> I am open to text that is applied consistently to both ML-KEM drafts.
> But a generic sentence about "use a good RNG" does not address the
> specific FIPS 203 requirement, nor the protocol consequence that `m` is
> recovered by the decapsulating peer.
> 
>> This does answer it better, it seems your answer is "no".
> 
> No. My answer is not "no no matter what." My answer is "not as-is"
> because your suggestion is not even a full suggestion where I could just
> say yes.
> 
>> Which is the same issue as the "m concern".
> 
> Related, not identical. The approved-RBG dependency is the assumption
> and a requirement. The `m` concern is the protocol consequence when that
> assumption is not met, or when it is hidden from implementers.
> 
>> For one, this is not different between pure and hybrid, yet you have no issue with the hybrid Security Considerations?
> 
> I do have an issue with the hybrid draft on this point. The same
> Appendix C tradeoff and the same `m` issue apply there too. Hybrid helps
> against some failures, but it does not automatically help if the same
> recoverable RBG lineage later feeds the classical ephemeral scalar. The
> removal of the hash leads to some fun issues and not only with
> Dual_EC_DRBG but also.
> 
>> Second, it seems as people said, TLS already provides a huge amount of options and parameters to use as a covert channel.
> 
> Agreed. That is why broader covert-channel work is also needed. But that
> does not justify leaving this specific ML-KEM issue unexplained in these
> drafts. It is a bit annoying to go back and forth between each layer
> where a different layer is used as a reason to ignore the issues in the
> layer under discussion.
> 
>> What would a TLS implementer need to know when it uses a cryptographic library to support a new cipher, whether hybrid or pure?
> 
> They need to know at least:
> 
> 1. FIPS 203 requires ML-KEM randomness from a NIST-approved RBG.
> 2. `m` is recovered by the decapsulating peer.
> 3. Kyber originally hashed `m` to protect against flawed randomness.
> 4. Dual_EC_DRBG is the public standardized example of a
>   hidden-structure RBG failure.
> 5. Hybrid does not automatically help if the same recovered RBG lineage
>   later feeds the classical ephemeral scalar.
> 6. This change was an intentional choice by NIST and the IETF does not
> agree with this change as it cannot mandiate the use of a specific DRBG.
> 
>> First, it seems most of the items you just listed are the same item, and basically you want it to say "don't use pure, use hybrid instead",
> 
> That is not my position. The `m` issue applies to ML-KEM in both the
> standalone and hybrid drafts. My concern is that the drafts do not
> clearly state the FIPS 203 randomness requirement, the Appendix C
> tradeoff, or the peer-recoverability of `m`.
> 
>> Second, if you want this document to proceed with some newly added text, it is up to you to propose such text to the WG.
> 
> Fair enough. Here is a start on a minimal list I think the text needs to
> cover:
> 
> - cite the third-round Kyber submission;
> - cite FIPS 203 Appendix C, where NIST documents removing `m <- H(m)`;
> - state the FIPS 203 approved-RBG requirement;
> - state that `m` is recovered by the decapsulating peer;
> - recommend restoring Kyber's hashing of `m` as defense in depth against
>  hidden-structure RBG failures;
> - cite Dual_EC_DRBG as the public standardized example.
> - quote the relevant part(s) of FIPS 203 C.1
> 
> I can turn that into concrete PR text. Before doing that, I would like
> to understand whether the WG is open to text at this level of
> specificity, or whether the only text people are willing to consider is
> a generic RNG sentence. If the generic sentence is the only thing on
> offer, I would request someone else draft it and I am happy to give
> feedback.
> 
>> So "pure" is what the IETF is using now for consistency.
> 
> Point of clarification: did you mean ML-KEM or ML-KEM-WITH-A-DRBG when
> you said pure in that context?
> 
>> The current text is the consensus proposal of two years of talk within the TLS WG.
> 
> The WGLC for draft-ietf-tls-mlkem-08 has ended, but I have not seen a
> declaration of consensus. We also do not yet have agreed text that
> addresses the FIPS 203 randomness requirement or Appendix C tradeoff.
> 
>> I am not aware of any technical concerns.
> 
> Then let us test that with concrete text. The concern is not merely a
> different risk preference. It is that NIST's rationale for removing
> Kyber's hash depends on an approved-RBG requirement that the TLS draft
> does not clearly carry forward.
> 
>> So to me that makes it clear that in practise, your answer will remain "no".
> 
> No. If the drafts clearly document the FIPS 203 approved-RBG assumption,
> the peer-recoverability of `m`, and the reason Kyber hashed `m`, I am
> open to changing my view. If the text is only "use a good RNG", then no,
> that is not enough.
> 
>> As I explained above, you providing concrete text additions/ modifications will help determine consensus of your suggestions
> 
> I take that point. I can provide concrete text. My concern is that the
> Last Call has already closed, so I am asking how the chairs intend to
> handle new text if there is support for it.
> 
>> Rough consensus is achieved when all issues are addressed, but not necessarily accommodated.
> 
> Agreed. My position is that the issue has not yet been addressed. It has
> mostly been reframed as a generic RNG problem, which misses the specific
> Appendix C tradeoff and the `m` oracle.
> 
>> The one thing that is clear to me is that what you are asking for is basically changing the normative reference.
> 
> I reject that framing. Security Considerations routinely explain
> assumptions, risks, and implementation guidance around normative
> references. That is what I am asking for here.
> 
> The normative reference itself discusses Kyber and ML-KEM together in
> Appendix C. Quoting and explaining that text is not changing the
> normative reference. It is making the reference intelligible to TLS
> implementers.
> 
>> Adding a generic statement about RNG is the only compromise possible.
> 
> I do not agree. A meaningful compromise would state the actual FIPS 203
> approved-RBG requirement, state that `m` is recovered by the
> decapsulating peer, and explain that Kyber originally hashed `m` to
> protect against flawed randomness.
> 
>> If that is not good enough for you, your only option is to voice that you are against publication -
> 
> That is not my only option. I am currently against publication as-is,
> but I am also trying to find text that could resolve the issue.
> 
>> and to be consistent, I would expect you to be against publication of both the pure and hybrid mlkem drafts, as they are identical in that part, using the same normative reference of NIST.
> 
> I am against omitting the relevant FIPS 203 Appendix C details in both
> drafts. I am against omitting advice to implementers who are not running
> a FIPS-validated stack. I am against omitting the fact that `m` is
> available to the decapsulating peer. And I am against omitting the
> historical example of Dual_EC_DRBG when discussing hidden-structure RBG
> failures.
> 
> A suggestion of generic RNG sentence that is not a concrete suggestion
> is not enough, no. Text that states the FIPS 203 approved-RBG
> requirement, the peer-recoverability of `m`, and the reason Kyber hashed
> `m` would be meaningful.
> 
> Kind regards,
> Jacob Appelbaum
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org