IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

John Mattsson <john.mattsson@ericsson.com> Wed, 26 November 2025 09:02 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5BD3590EBAB2; Wed, 26 Nov 2025 01:02:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbtSUUf2clKu; Wed, 26 Nov 2025 01:02:33 -0800 (PST)
Received: from DUZPR83CU001.outbound.protection.outlook.com (mail-northeuropeazon11012053.outbound.protection.outlook.com [52.101.66.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AC13490EBAAB; Wed, 26 Nov 2025 01:02:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Ljwnv1apBAoBf/szQElOWCK6z81x1C96Jq2tKA6VYmC0tFx4+5SA7iyXaxV1d/0E/1HuWaOQRJFp4bqnvUBr7n1U2DX5/oiOLKpHvFi1aj6pG+QOqm+mQ+Hwi6WjPs6zB/ok85KFehQkBP0vurpvAi+11rqvQpq/ml/W5DT6gr8afjon3tbTmyv9A33/6hphCGJYPJBw81UamHqUevaFK/MAIXsCHDRc+B82NCj7yVog15myLiowKm3tZ5GU/YGp8acsH4TN2lgqy6c+AHw0dpnI8l/itBjD86ZDGT6cZul49prtQq5kKsGRSMRvESsV/YIOV0jgmAfVuWtJuG93cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nDv8Ni9YcdDrzjNrNIakEPD18r1Zy0M3GsH2GLbb1/c=; b=umDQT0w3+Kb6y5pMdCTDGbSqczzoiHpOO8heO3OvpEvGChFRarDbjXv5WuJs2qeEX4MPxZfKuNz3yYB4jTrCeWtqVwEUpKpp3JEqnWf0K62OYoVuFaYv2xagwH4pLfGyehiMs5mpgjkHFL/xjB+jWnxY8vfZ2DeJd2mFlEQqOBSG7dcAAIFCu1abcRxYb9VVQQu1d2nNpuHoDqXY+R33NkHqQ5GyuvJvkDRHPGMW1K9wdX4QzjiFFwRHM2/oX+Ymzo3V6hICyRusIVZfJSZ3Cl/7xmW+o/l9ddAxGuI0BUU+NAmKLfliHptODrb8a+M6phYC6lRxCZRLoF0MbDiraw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nDv8Ni9YcdDrzjNrNIakEPD18r1Zy0M3GsH2GLbb1/c=; b=IWuMiWDxrXZkZ8EHyNqSbeL5f3Qy3MiBrB4MiGW3pKvHdqC7/tJW74GKYyfVM4quTkteLQSkRvSXU1KA7vdjPKmN3HwWRDhoPH3qiAR4scZ4on0k+wIucxIKySnzUD3xQtDf1Z7IUgl+rySLoBJMY6iCtZGXbJXlfyVUYER4q67uU9TVU/vorQKg5G+ttfFPSnVnbzqjf1gEaOHpXdaWPrIAaHsfPbOMiUlssIsKFyp04E8Sxa4CaNR5Jqo5+BzpF2hl4SfMYAUstyUoKkItkTiusaUWkPI53HDII7wjkTFCNLCFBVkLyJe1pxwd3bhVMAopMw8na4ZnafHenfPatQ==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB5PR07MB10240.eurprd07.prod.outlook.com (2603:10a6:10:5e6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.17; Wed, 26 Nov 2025 09:02:22 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9366.009; Wed, 26 Nov 2025 09:02:22 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "draft-ietf-tls-mlkem@ietf.org" <draft-ietf-tls-mlkem@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
Thread-Index: AQHcXZdeQBPyhE37cE2C33OwvtXsX7UDCVkAgAGd4TY=
Date: Wed, 26 Nov 2025 09:02:22 +0000
Message-ID: <GVXPR07MB96784D1317779A8A29CC885889DEA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <a49c347c-ccb0-42c5-808b-a3f49455858e@app.fastmail.com> <20251125080530.273154.qmail@cr.yp.to>
In-Reply-To: <20251125080530.273154.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB5PR07MB10240:EE_
x-ms-office365-filtering-correlation-id: f5e7cb0c-ac23-4a04-5a5b-08de2cca8321
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|8096899003|38070700021;
x-microsoft-antispam-message-info: fouuP44L0MYn0kTEUOoGaIgjLLIWHZCQpGqcnGnfTw1evXYbq6dB/aSMqgstNw8bhCGuH7fZztSNkGXx6CISsWQcEGJOJB+d27FC5iqc178I5oQJo0vDLzlvmi6Dkar5vl6N3c66st02GeCvwIygerrJx22ZEvki1arWePvQZDgC6EILZO1kWMKX5r7hsv32n6Szm8y7NTj+ktuaaRLTKGGXdbYsSIPJhasO+iMatrngfD+XYfDbVmnIvc8e/+mkn5pm41A5TxYBF8MzeE6+zXJ8P7NGGcRtfbcc6t+62dIbPVwuxuYVX6bi5+Xg7d3stIUnR4yOX36wEj3A5c109VnuDtZFpK0NfKgD/lj3PG4VxnURX31aKj6VDLu9qwsYZej1inDFZp6ijBE8ntTpiIP4dhFHL0+2O74aPQUMDR/kJC6iOA2eMcwJvOPSBjX505BUomv+LFczs/o3PcckV1NwsgBBrw/3Xy++HIyoGv2GlyMqMFi3bDGGDxTPRi7PqQpJoIFcPtVdju15UzyX24trzN7MU8zKruB4Vza3KcCW9npKqvVvk1/A1zvAWfKajYp5LsoQwgD2/dEgKpWWDoSjI0rqAdYbw7ci2KEB9JHMuUqnREFrMA3WgQMXdRX831b6zhV319HD5Q/ZBcXqSCZADCL4NVnVaX9E/ZgLUBmdu9Y0LbmxHqje/FCyqQ6sWfqK8GWinmqrRVdRALu0MEiOkLmze5dQ3ybZukw/lamdZKeM+Fj8fqYGLkmSHhj2ifeH8Fh3cpqcoSY3kxGqxhYeBkUhlKROrcYLRt4mpfgz8gu26UOMwEMj66TPz5Ij8ga/7FtO+30brqTSUYZRdkrFPdP1kH/5Ek8OxwLtJTS0U5PS7Vqv01reol620O8/DLzSJA0x7ff+6VJju09S+z4CQOHSvaG8GL/bitHJ2sAaPYvKS17WLllBvM9egBv2EuFoyYChHDKNga1wH+hVvenZkS7A+ybM8t2qWZd6GmtmmsXWJOT4ldp/FsHcuC1PkzKj4w5ggtWtLJUDftUFfXhj3pQRONktwnlsfDCcKvNTEyPxSwKbvFP6Rhx3C1wPwaoqtTsCyRf6KO6ayvdsrt0VIlk2Uzcd8Z+7c9YuPgCRQLITv3uHoEkfmYQhy19Dk0wMG7nwFUU3tOvSTKbN9rWEPF7zvBaE/vLD84P6L+p+wcivL88g0uQc8OMc21Dbzrfqku9/LmdPa0v+6zlXkbC1lkAzKiUUlPePAfGFfEG5aWvcagfHL5shF1GEJweAnXLb/On6OAbRF0KePND244ajftBZDoRcl1mYlRqofhHphu+qiRY59ug9lt7WIVwm1YWYrOwPUiazovugoAKFTZ58oT3spnTejnNS/HZ+33lW7BrQ/1d6rUMWXInoYUYv0E1Znr2jMx6bkUWkZwQ/E1aqVmTrdKc4odvZ8O6NpDH8Lsm85F8wolu3ThLTuLLSG7iUhMf6dnDpQnVbiUHkjQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(8096899003)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X2/unO+DoXzQcwPyNr8+OdVFDwrpARyVpguPqGpm6zObPd4DeX6IJNvUZ3wllx84dHPA3KqfLdCoGOOFeFu5Isu5BKdEF7alGAmncG0M6bgOuXsHpADBia4XssR4RVmhWC+oyd3K8FTQfYRp6gEBJ9PORFDzAFicaWoNhnE/S5fPRT3Y6aXjPwGX5xgydnUmfgWH3k1guWVWApUOrSxyxYa3iKbbX79MGX+4SbEwUcHvDAGrKJgEuNBm3v1py6+i7eZ+pUJdpMxVtTw0s2F4MS0f3bZfkdBodq5nERwRLESSzg6BeEi3SsztrQGF4bCLi5YoSGPtXY2Hye9geH5f/dCfhhXySrF5DhDpmt0vD5ExOU7OUmkWvV8LHYLJDIM0Gsd8PlHuXD7Vt3MEocY0M+7Z/10M361gEFKeI+EcmlfPmcnmXz3EV4126BLLAyxs0n2SFk5a1MhrrtDWcnjYcFfGSJrYYPGTwxv574TH0oOMFF31THdGMptFiE+bvxOo/IUl20tJP2ymNfNj2e+bUtf9YIb12aSHZELrilRRCbjpcI9SulPWjpa1U6jwaK8q6NPE1usQIWyLMMc3RaYMo2MTI5zOfFM7X/pDppVGlHpMJr6WqAYDE0B+H8nfIa9GPgOE/Jk0RUA1iSH45U9dT0gkdxES5fffEsLDfWVqqreOXZFZHcnWo08EDxB3SQVbMCQmxtvBzhogGXFd9e09/Ai0MFVhCgA8/XQNgCwj5F9xr5FHdXtDuEpufIig0ixgreXzidHfCJig3ENUX8GbBJTEVrABzz2iznIrNboTiZvlwrl/yEJpluImyUmFAcgKd9fKZXf59MPwGfvN8gmzxnw05NujhSSmwoNvCLZgWwL3zL/kenmyGYVXmUVt6rMRcLBLiX6QH+0PAntObWB6AWA/LAziK2KcwyUNpLbe+uDrCQAYVc1LBU6THqYYYqpiyFsXL8d5t2zK1QSTnGMPiTecXUtYucgVsOR1R8/hqhqdLcac+hPd4QUjRYdCqFeYkSwJ7l6109MCEahCMhNbnUBX1fhSiEf7TTUOrZclQRU3YeP1PvTFEIDWCRZwhwiHw2CgB3P2MVEHxbEE7uiIRzcJlrIXqYCg0BMaDGcihH8yHhQFtHSJSYk5SCSIfktICpvo4NDD1rmDMUS8xBo3bekUfB6TWBQ8c9P6WN4rwfVdmlbuxJz0cw1cfTuWAf2BIJi3s6EAe4KGjQtTHK14n54md5SKnjiAJpZ5an99YMMlUjhlFtI2aPWVQ2oGkxcNOgwlpnzrXTQ9gXvU/xG4J5xRUVlpoJUe6qy5WYNyN89OqzFcNSkVH1rLO2hbNUw4azVUc0DE3ehI0ZCPIAeADE9Zq87pQJ0AGGVlseaayfdcdF+K6rcmhDYLia3uITq9YNu6rxwWRhFIz1yZPjLO6jqrh+yj17IirG3TYZdwsJmos3lHCPE7nspm1Pbv+RxlflRl+K49HXEvCjnj4bQelWO2qZq+tWCiwpj98Xy0FV1ea5pLT22wUoMrsy1xbjTP0U5T5llitn8fhtNTB0IhNaxYrtktomJifjULsshHhHZxyhmj4o5Ns4b7bnfT8CdIMEDMTOowafhiPe4yo1wq1w2K3W9Ani14r1mhBnNyfow=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96784D1317779A8A29CC885889DEAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5e7cb0c-ac23-4a04-5a5b-08de2cca8321
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2025 09:02:22.7871 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1wMBdWH6kFTRbiEkyAs6domLF9bgjJoBEyCqlY6DvTJnGr+QVNciWSgz/ZRscAI9YzqEjtqNyMHWqjE6UBIXwpzD3NvagOswoF+IWb3gzak=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR07MB10240
Message-ID-Hash: NXLDH5XVUVRA5CSRLALBIWIF5HRUFL6Y
X-Message-ID-Hash: NXLDH5XVUVRA5CSRLALBIWIF5HRUFL6Y
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/A4SxbQXlWapmNws4r66gRDUvbqM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Dan Bernstein wrote:
>ECC+PQ has roughly the same performance properties as non-hybrid PQ

This is not correct. A hybrid such as X25519 + ML-KEM requires substantially more cycles and code size than standalone ML-KEM. The differences are not marginal — they are quantifiable and significant for constrained implementations.
https://blog.cloudflare.com/pq-2025/
https://www.ietf.org/archive/id/draft-spm-lake-pqsuites-01.html

>This document was introduced in pursuit of "CNSA 2.0 compliance"

That claim is contradicted by the inclusion of ML-KEM-512 and ML-KEM-768, neither of which appear in CNSA 2.0. Performance matters directly for practical security. X25519MLKEM768 consumes significantly more code size, CPU cycles, latency, and bandwidth than standalone ML-KEM-512. There are many constrained deployments where these costs matter far more than in the “browse-a-website” scenario that is frequently assumed.

Recently on the TLS mailing list, several participants have argued (correct or not) that they want to reuse “ephemeral” X25519MLKEM768 key shares — in direct violation of FIPS 203 — for performance reasons.

While I strongly agree that X25519MLKEM768 should be the recommended key-exchange method for the Web today, hybrids are far from "strictly better" security-wise. Several standards demonstrate this clearly. For example, the composite-signature mechanisms in LAMPS, as well as ETSI CasKDF, both destroy SUF-CMA (ML-DSA) and IND-CCA2 (ML-KEM) security guarantees that the standalone algorithms provide. That is unlikely to be what users expect when they use a “hybrid.”

Futhermore, the large X25519MLKEM768 key shares causes many legacy middleboxes to reject the connection. In such environments, I think it is preferable to rely on ML-KEM-512 rather than to revert to algorithms that offer no post-quantum protection at all.

(In your “alternative truth” blog post on IETF and corruption you claim that a lot of people in the TLS WG has conflicts of interest. This is ironic, given that you yourself are the author of several algorithms you routinely advocate for...)

Cheers,
John Preuß Mattsson

v2.37.1 | Report a Bug | By Email | System Status