IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

"D. J. Bernstein" <djb@cr.yp.to> Fri, 28 November 2025 10:13 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3CCDB9200E69 for <tls@mail2.ietf.org>; Fri, 28 Nov 2025 02:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F450KRl0Hhoz for <tls@mail2.ietf.org>; Fri, 28 Nov 2025 02:13:30 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 272609200E64 for <tls@ietf.org>; Fri, 28 Nov 2025 02:13:30 -0800 (PST)
Received: (qmail 3872239 invoked by uid 1010); 28 Nov 2025 10:13:29 -0000
Received: from unknown (unknown) by unknown with QMTP; 28 Nov 2025 10:13:29 -0000
Received: (qmail 482405 invoked by uid 1000); 28 Nov 2025 10:13:20 -0000
Date: Fri, 28 Nov 2025 10:13:20 -0000
Message-ID: <20251128101320.482403.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <aSjSGfo2EG2+i2ov@akamai.com>
Message-ID-Hash: BTXIKGACO7ODCGUOJZEKCN3U3K2W4DU2
X-Message-ID-Hash: BTXIKGACO7ODCGUOJZEKCN3U3K2W4DU2
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8TeM11tngC_aME8bbfbMtbHM4fA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Benjamin Kaduk writes:
> the numbers here are *not* conclusive for all possible use cases and
> deployment contexts.

Sure, but if anyone had a real example of a TLS application where
removing ECC makes the difference for PQ deployability then we would
have seen the example by now (and the WG could proceed to an informed
discussion of whether supporting that application is worth incurring
security risks), rather then hearing just _insinuations_ of the cost
difference mattering.

GCHQ posted a "greater costs ... less efficient" anti-hybrid argument
online in November 2023. I pointed out in January 2024 that (1) GCHQ's
claims lead the reader to think that the cost difference here is
_important_, (2) GCHQ hadn't given any cost numbers, and (3)
quantification indicates that the cost difference _isn't_ important:

    https://blog.cr.yp.to/20240102-hybrid.html

The non-hybrid draft was posted later that year with a short, circular
motivation section. A request for motivation was answered with "CNSA 2.0
compliance" and, strikingly, an admission that "we can afford" to keep
the ECC seatbelt:

    https://web.archive.org/web/20250613195524/https://mailarchive.ietf.org/arch/msg/tls/qFRxBSnEPJcdlt7MO0cIL2kW5qc/

The closest this came to presenting an engineering rationale for the
draft, rather than the do-what-NSA-says rationale, was a claim that we'd
like to remove the "complexity" of ECC+PQ. But Andrey Jivsov pointed out
that this draft _increases_ complexity, given that ECC+PQ is (for good
reasons!) there anyway:

    https://web.archive.org/web/20250613195524/https://mailarchive.ietf.org/arch/msg/tls/uOmcMEqlyekrvcOgdsf7GtIlf3w/

There was no reply to this objection.

Meanwhile the official NSA PDF that was cited for the compliance claim
actually contradicts the claim: the PDF says "hybrid solutions may be
allowed or required due to protocol standards". An updated official NSA
PDF from 2025 says the same thing:

    https://web.archive.org/web/20250827175413/https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF

The TLS WG simply has to hold the line, standardize ECC+PQ, and refuse
any endorsement of non-hybrid PQ.

Apparently the Whac-a-Mole game now returns to cost claims, misleading
some observers into thinking that there was a serious dispute about the
affordability of keeping ECC. Meanwhile IETF management works on rolling
out new procedures that allow permanent IETF bans of people issuing
"incessant requests for evidence", as if the problem were with the
requests for evidence rather than with the unjustified claims that those
requests are challenging.

---D. J. Bernstein


===== NOTICES =====

This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)

v2.37.1 | Report a Bug | By Email | System Status