[TLS] Re: Fwd: New Version Notification for draft-usama-tls-risks-of-mlkem-01.txt
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Tue, 02 June 2026 18:16 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 91BC4F9767DE for <tls@mail2.ietf.org>; Tue, 2 Jun 2026 11:16:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780424206; bh=DcJ8OkeK0FhKVXja6jfPVUQy1+NTJRgzrGWH/C0zLOs=; h=Date:From:Subject:To:References:In-Reply-To; b=CPSI7qMIDWPnOCs0YVR7LAgQYkfarGaBktwH+lmmdstifTVDZaI9+gM0dv0/LA7TW UDwUKVe+k66QZ4mm0IhgsEiCnVG39rDdFO+SebONBdKG0FwGt9g8J1Mghkik2PC0hR kAHSOANdvtcxSn6UxvRrp0mrNUoUbZDWA6vhnXo4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y62hQtgR_3wg for <tls@mail2.ietf.org>; Tue, 2 Jun 2026 11:16:45 -0700 (PDT)
Received: from mailout7.zih.tu-dresden.de (mailout7.zih.tu-dresden.de [141.76.32.220]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id ED550F976755 for <tls@ietf.org>; Tue, 2 Jun 2026 11:16:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:References:To:Subject :From:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=bIBrZkxfChni12+45SXY8hNhQEXo/MMX5OXJbrW7kvI=; b=swugI38UZn4lSAVtZUx9qrCYnc qw4zvIj5IE2FnQL04BTbrGLqxGEMTXS6IcNd0I6eiyVA8m6pNC5LacO2dOXcVuF/glIK6A8t6SJ/k adyM+2C4TeNhDSMGk9FNvzYHJ8/A0FuTphmvg29Xm/zPO9u8+6mefVnC94Dp8BvXTucV/08m+l6WC TaFBg6ziG2fsKzBBCcBo+lsLpaEzwRP4LBH/w03p/thOTgP2MwQ8pwJBrC2/4H8kmWvajOoJ13EJD XQLzoxr92UzY2LRAHkAkZ3X52nKbuCBhCCeDU1Rh8gFiKLYLY+x3mclW/9f8l9GxJ4tg7gnG6iWMp /RmYR2Aw==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout7.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1wUTf8-00Ddab-2j for tls@ietf.org; Tue, 02 Jun 2026 20:16:31 +0200
Received: from [172.16.0.210] (141.76.13.149) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Tue, 2 Jun 2026 20:16:25 +0200
Message-ID: <dcf6c64b-b356-4e49-b054-bc392270a429@tu-dresden.de>
Date: Tue, 02 Jun 2026 20:16:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: "TLS@ietf.org" <tls@ietf.org>
References: <178004897406.1571084.15428249207754239073@dt-datatracker-5b4c8598b5-4ztf9> <b9a8212d-cfe0-402b-9a8a-f63c1712d1db@tu-dresden.de> <CAHxYnaNC8it-gRHZPc4n-tgqwmBp06gfhy18sO77wSEJGjSmaw@mail.gmail.com> <CAFN1edrFmOGkrNWg6yXMC5XiOBHOHeJdkHXu=Fh1HQD-+rF1RA@mail.gmail.com> <ah6uNuZDLn4cxQPP@LK-Perkele-VII2.locald>
Content-Language: en-US
In-Reply-To: <ah6uNuZDLn4cxQPP@LK-Perkele-VII2.locald>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060701070207010907080703"
X-ClientProxiedBy: msx-t421.msx.ad.zih.tu-dresden.de (172.26.35.138) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout7.zih.tu-dresden.de
Message-ID-Hash: ZSHNDAVIHPBREF4UPG6IVOCR3RBU5GNC
X-Message-ID-Hash: ZSHNDAVIHPBREF4UPG6IVOCR3RBU5GNC
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Fwd: New Version Notification for draft-usama-tls-risks-of-mlkem-01.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7f15cqOyL16RpVDAK9YHo_7L4CY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi, Thank you David, Simon, Nadim, and Jacob for the attestations. Thank you Ilari for the feedback. You are making good points which I have tried to address in the editor's copy. In general, there seems to be high momentum right now with at least 2 other WG participants conducting the formal analysis. Typically, finding volunteers is the hardest part of this process. Given the interest, initiating the FATT review feels like a constructive next step. Could you also please share your perspective on why 8773bis needed to go to FATT but not a paradigm change like standalone ML-KEM? It is worth noting that FATT review is harmless: 1. 'Nothing required' is a perfectly valid outcome. 2. WG is /not/ obliged to follow the recommendation of FATT. I have added it in the draft [3] anyway for those who may be worried. If there is any ambiguity, I can explain it further when I take the floor in Vienna. > I do not think there is any justification for doing FATT process for > stand-alone ML-KEM, but not for X25519MLKEM768. I have added a few justifications [0] in the draft. Could you please share the specific issues you see in [0]? That may not be very satisfying for a cryptographer, but I don't see anything wrong from a /symbolic/ perspective. If we put in all details of cryptography in the model, the /symbolic/ analysis may become redundant with the /computational/ model, and hence may become a duplicate effort losing the real complementary benefit /symbolic/ analysis could bring. > Any flaw in integration > of the former is highly likely to directly translate into a flaw in the > latter — due to the hybrid property. Sure, if we find a flaw which applies to hybrid, then [1] applies, e.g., chairs may do a quick WGLC and IETF LC requesting to keep its place in publication queue. > However, I think it is extremely unlikely that any such flaws exist. One of the motivations of formal analysis is to test things we assume to be highly likely. There are so many examples from history here. > The > arguments about "some level of symmetry" are unsound. You are right. That was admittedly very informal and with sincere apologies, I revoke the quoted attestation, and have tried to make it more precise. What I meant was DHKE part remains symmetric as before -- at least from symbolic analysis perspective, which is what I am currently interested in. Additional PQ component is concatenated to it. > Moreover, I do not think it is possible to prove soundness of > X25519MLKEM768 without proving soundness of stand-alone ML-KEM — as > soundness of X25519MLKEM768 includes it having hybrid property, meaning > it is still secure if ML-KEM is secure, no matter how throughly X25519 > is destroyed. From such soundness, doesn't it naturally follow that hybrids are at least as strong as the stronger of the two components?If such a statement is added, I believe that addresses the concerns of some. > And who in the IETF community do you trust to determine that? Anyone in the IETF community -- and more broadly in the world -- who will do ProVerif confirmation for the minimal viable modeling [2] that we have collectively found on the list and will answer any questions I may have. IIUC, at least two other WG participants are already working on it. > I support initiating the FATT process here, and I support the work > Usama is doing to use symbolic models to better understand the > protocol's security properties. Even where existing proofs give us > confidence, having an explicit symbolic analysis of the standalone-KEM > case is the kind of thing that's worth doing rather than assuming, and > there are clearly participants willing to do it. > > +1 from me. Thank you for your attestation. > +1 > > The entire idea behindhttps://github.com/tlswg/tls-fatt seems like a > good thing, and I wonder what would warrant side-step it. Thank you for your attestation. > In particular, I am curious to see how the FATT process will reconcile > NIST's requirements with TLS's choices. > > For example, does TLS with ML-KEM now require a NIST certified DRBG? I have added it in [2] for WG discussion. /Computational/ analysis may be helpful here. I think it will be good to state it clearly in the security considerations of draft-ietf-tls-mlkem. > I don't see any mention of patents in your draft. This seems > concerning when the world-wide patent waiver license applies only to > the exact specification which I understand imposes using a NIST > certified DRBG. > > Hopefully you will also include at least a basic analysis of these > matters. It was unintentional miss as I am not a patent expert to do a proper analysis but I have mentioned it in [4]. Best regards, -Usama [0] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-fatt-review-for-hybrid-key- [1] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-what-if-issue-is-found [2] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-minimum-viable-modeling [3] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-fatt-review-is-harmless [4] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-patents
- [TLS] Fwd: New Version Notification for draft-usa… Muhammad Usama Sardar
- [TLS] Re: Fwd: New Version Notification for draft… John Mattsson
- [TLS] Re: Fwd: New Version Notification for draft… Muhammad Usama Sardar
- [TLS] Re: Fwd: New Version Notification for draft… Nathanael Ritz
- [TLS] Re: New Version Notification for draft-usam… Nadim Kobeissi
- [TLS] Re: Fwd: New Version Notification for draft… Nathanael Ritz
- [TLS] Re: Fwd: New Version Notification for draft… Salz, Rich
- [TLS] Re: Fwd: New Version Notification for draft… Nathanael Ritz
- [TLS] Re: Fwd: New Version Notification for draft… Ilari Liusvaara
- [TLS] Re: Fwd: New Version Notification for draft… Salz, Rich
- [TLS] Re: Fwd: New Version Notification for draft… David Stainton
- [TLS] Re: Fwd: New Version Notification for draft… Jacob Appelbaum
- [TLS] Re: Fwd: New Version Notification for draft… Simon Josefsson
- [TLS] Re: Fwd: New Version Notification for draft… Ilari Liusvaara
- [TLS] Re: Fwd: New Version Notification for draft… Muhammad Usama Sardar
- [TLS] Re: Fwd: New Version Notification for draft… Peter C