IETF Logo Mail Archive

[TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3

Yaakov Stein <ystein@allot.com> Mon, 08 June 2026 17:08 UTC

Return-Path: <ystein@allot.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DDA1CFD8EEBA for <tls@mail2.ietf.org>; Mon, 8 Jun 2026 10:08:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780938533; bh=MyvYO4rjmX54sY739JdkQbMvx7VHw25R2ifWO4p5CG4=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=dNlW9FtGMlENsiuofsefO2FDaL8QCZkDicSF31SwdmQSkN+o7NyEnf1V6hLsldyUO UcMkZ0nPuAWQzfrpty/kdK42xNICAwM1Q9d1Ooiv2lTNoBnBdYGItcbow+70BiKyew QUtyOuRGEQ/Q1Zzh6+6Ipbsjuz8rKkO9XV4UqjRs=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=allot.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YlWYqDQNh8Wk for <tls@mail2.ietf.org>; Mon, 8 Jun 2026 10:08:53 -0700 (PDT)
Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazon11023138.outbound.protection.outlook.com [52.101.72.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 19E57FD8EEAE for <tls@ietf.org>; Mon, 8 Jun 2026 10:08:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Wx/oTEXmYlXmdLQErpi2FbtnXfo7DgJhd1mDpCy9iIiwsS9vEqSXyfA3AQrCXswHzgLHo2ieFWaiYHtbkT9UOeYCZ51EdUYKrazQRICwFvfFzU3HVhUSs2DnBtfMyXx15LuizJi8Z2XMQHXmSXvKcWsQVGx3Vir/I7OT6QhAyuhQCMyfNYHnKD4t9ol6dVY+Rg9bScSnemNSEUZI7cJ4TSt40gJDmPpgd18tMI7pLNRc5jRIwWHlgPt9enehY2Q8YTUq3d4C7EzFl2bGL0VjwncyhjrwPgIUC5LIJiCWK37TjlkltU3PmN8ykziiG125eu4SitcEmduZvOadLMVQ+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MyvYO4rjmX54sY739JdkQbMvx7VHw25R2ifWO4p5CG4=; b=Avsjm8bjqUcKpQsEzn3aIcOyXX6EdVnNGTNtQ4b/1QlNimOqSVCwLYcTqyJLca+wzjdCPKtImYe39OOvCLNnQfQU0PK4CzROKT8mjKWhZ+7u1ctCTORFz1b9ihABVpiRxrybQEov05Jm7OvA2LBcvNuHjhyNae2XygXVpLW5tP9aQMJQJtCLp4f+OE3AqLIoM13/5Z+lJhKTtKvB5hYj86R5OaUqZYo3XjD38vRaJr0HOts6W39pn1ZzNRO3A7yKEZzWfOCE00Rs/uOlNCW8x68ynGE30HmZWwe/RFlW6+js7XuklUPWguplLs6umykZqZvfJomeKDP8VDPzZlUIdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=allot.com; dmarc=pass action=none header.from=allot.com; dkim=pass header.d=allot.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allot.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MyvYO4rjmX54sY739JdkQbMvx7VHw25R2ifWO4p5CG4=; b=r9KKSCTYif0lPFPbKaU+qqymA7fxTNMKBeBMLHXLupbFEyhzMPn4XIN6zsbB3RgnEd09Ma36vFWnGK2XryRTSm/Rd8BxbpxhyiPTRkVKLanHKtYfwyXdGjA4YAMC+I5zhtpqWq+YnetntjsoyJVotaR2Ko1wyjJarXNHWMwgK5U=
Received: from GV1PR08MB7346.eurprd08.prod.outlook.com (2603:10a6:150:21::6) by AS8PR08MB8566.eurprd08.prod.outlook.com (2603:10a6:20b:567::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.12; Mon, 8 Jun 2026 17:08:43 +0000
Received: from GV1PR08MB7346.eurprd08.prod.outlook.com ([fe80::c681:b002:49:d763]) by GV1PR08MB7346.eurprd08.prod.outlook.com ([fe80::c681:b002:49:d763%3]) with mapi id 15.21.0092.011; Mon, 8 Jun 2026 17:08:42 +0000
From: Yaakov Stein <ystein@allot.com>
To: Nadim Kobeissi <nadim@symbolic.software>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Thread-Topic: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3
Thread-Index: AQHc92l1ggaLuPz9bE26CA+oDFLshg==
Date: Mon, 08 Jun 2026 17:08:42 +0000
Message-ID: <GV1PR08MB7346DEE77D5AAE9FB6154D9ED31C2@GV1PR08MB7346.eurprd08.prod.outlook.com>
References: <E3248C6C-F41D-4697-B484-5DD3B3F03893@symbolic.software> <cec4e220-0842-486d-9c69-ddaf37260da4@tu-dresden.de> <MN2PR17MB40310B7FDC1875D16334B680CD102@MN2PR17MB4031.namprd17.prod.outlook.com> <154E6BD1-8F60-4E84-930D-751A812840C8@joseon.com> <CAGgd1OeM=b+g-SCtbQuV9OprSDFHRPk=xcnzqRY0Jd7JQsxeng@mail.gmail.com> <8BF77F56-3E92-490A-A15B-ECA803E745D4@joseon.com> <CAOvwWh3JY6u_vBMtwMOZ96UyM1-uYwuy+9m9xEUXwt+QDK0bbA@mail.gmail.com> <SYBPR01MB6336522468BC74BDCB5C99FCEE1C2@SYBPR01MB6336.ausprd01.prod.outlook.com> <CACSbMKkOw=aHWp3b=gnyd1DBMs4Vd3p11cF_EjCuqkaxvUQStA@mail.gmail.com> <CAHxYnaOj3_d8dv1GZpzr9OVS0ZMw5s-Ek7DdW2BA_AJSXXf85Q@mail.gmail.com> <CH2PR17MB40229FBA89A4A0906D87C590CD1C2@CH2PR17MB4022.namprd17.prod.outlook.com> <371E6923-33F2-4593-BDA9-24091340C70C@symbolic.software>
In-Reply-To: <371E6923-33F2-4593-BDA9-24091340C70C@symbolic.software>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=allot.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1PR08MB7346:EE_|AS8PR08MB8566:EE_
x-ms-office365-filtering-correlation-id: 98bbbe9a-f3b7-43f8-23cd-08dec580979f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|366016|376014|1800799024|4022899009|11063799006|5023799004|4143699003|56012099006|18002099003|22082099003|3023799007|38070700021|13003099007|8096899003;
x-microsoft-antispam-message-info: WmCWJc0mpgHBI85i5v1GN+u0VdETqkc2sq8YuTesHy3GBX6h5fDPBQKKkAKAjSHidzkXa/SRhh4Mjo+pN7jV3NPZvxhZohcVCluSN1rtz/ro1251iyVoOZj+QiWKOboFbGGQlnk1SfXX90BVrGXUzGzJxWXTL/uJNGF6Fa30k9rkn13As5EEix++UfS/87BgaCNkYpWxGb3p9DEj+1ulwGBcKFIbSS7+nBH9jd7i+Tqg/+peUyQMvuEATE+ERCZbJqnVV/7e8aSUCZNUHMVgXk5Y0Q+7sPrLtY+zNVyTMxUZNrsE2ykXBDuz0bQkKMORjitXbh51cKep8o68XFl92oZW6bKmyvwBJRaMIqcrwnLlb837i/XjDESGOGCY1fJZ0YzdfgoTHKibTWODZxf3KtI1hWSmJnjEE3+fgOXADCHaAGXB1gyiA+RotGmLzKgqW2OAHswKBfqKR96gRESojKE/zfL7fjZWe+9eoj3vv0djLP9DWfECkL7EZOPoqE2b48rV1r2LDCQ6l4KYyxkztNA3laT6IszI39XAS63UvEAtaVw0aMT19nE7p7yQfbmArGRl0QGs2mNY4gG13rNvv9Mo8I843DsLi2PqBhf4iF1Vlsl8UkWi3UOZV49unh29GYdDE/JEbp8hxtGslL+Az3AaB0JtxEW8DINQg5GapSfjB7EOcy4ciL6mNRmYR9Xxe9KEd+OfVAC7zbxNFG2BOQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR08MB7346.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(366016)(376014)(1800799024)(4022899009)(11063799006)(5023799004)(4143699003)(56012099006)(18002099003)(22082099003)(3023799007)(38070700021)(13003099007)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: l/GJM7HB6kUfuuzL6ylDAFl26eWx1XWTcyxgz0xCuohN8E6BulHA5pm9aIap7F1VYsgvG4vKxnTEP6aMhvvgctd/qzrSLcDBO/9OJyllacT871axgIv67MjWV6JIQiTFfZ61xoktfIlrgaIMIT8IFV0ijSbslnNz9fAs4ajPrsdoCOs358MkqMMZUzbQUjozn4IlF+lTDBsVnKrBtLn1CcxxvyNv/XSbdWeENEVOxCEvv6jPq3WKyAuN6fAs4HKOeLXOg3Pgh8bJhFCYAV3aZ72VcsIdXyDt5fqwfvRbXh//yv5dTrNppjd9iNwh/Vz+cJErIebGK3mTw7ADhiMo8/+xHf/l3Ij9zbYgeNCIJ29fx5qG9fL/kSbvrz5ozITt5Z0mzgs6o595g6zBCIf2QvDJ/S64UP7CMjkAuVRmXF/Re7W6HVHeaRky30N3zL0b4/70LQLLtdvrmK4edXy/yEVQRilsOOLG15Dgy7BQnPatQ0qWEFdGgl3HuAnsHt4ooo282AGTJ2Jdv6zzvAV8K9O8yIMcHgFLhQqF7SH0rUaigMiNj1poeNYWxJ+tWflUz5wHZglPcax32nlBG/WfficjNMstiHQ3LQRrjVh6P76rON+uqJ9SYqpwiZh9PoCBOQCMsovRdy3rnNCB6XE4slavWavbEWFU56isXh58Mf9MLJSyPUpyUJGngxcooOpdf8RsgPQ2O1NbUQuQdpLvJEmNZOANYw5gjt6IRP2SCD8fjPzxJ9VeXgQLOjyi9KL8zb2gbas7YkKhbvi01nK64xmcQbPloGbt+AQM3fuBvT8ull1KtDkmrfXuJRcGDTPjtbukIoKWkD0eAFC0P3ij8QIWa7sB5BoUeZW25q9inf1oZ2fyUcD1rBM0mcIxVeDZb0rRKSsuyVYw5lcaIcvsJOqK/Q75b+D93NfPIFz+qpzHgKDs0236HYjkPT1ACov2KrMbh3kytLJxIGo/7WihL8J+2BboyLK5Tf0K/UNBElFqa2NCr0G8/0GnnhGmeSCYjk9tECAFQu52ESUKIM/xOOhvWB08oUuur1AuY6Wz+bSK6clpoqk/two/K3zTzOS6tZHbdychv0jmn6HeeiDTeK8b/MPw9OMMdZS2EmDmTsHbd/nIg6s7P0UDFr9bR/FBtFTDIZEI/0GAmCUYMqAq7vAdtw4iJeMkw7RUOJz0FAnJSDSSoMALFam5hASa77ghubqOxiRaVYXgyIum3TWJPxJaYEPo8sEQnYQaXKELOvS7pfZM24ObbKUWw3ONs7i0IW+RpV8OpCxF6S34//NM4rewjDLHbQ98LXb6uY+gXj9pAPnqmcaxGJBI4ekQos6v6IJ26+OAtuFtYrbsKRPnlrWIy2eReGDw+va+xU7S2HCZwZp4Y4fjjvS7WkwWBdEaVWO1zjRUDA3P9LjycEyiEZ0WsNKCWmfxv6/J0f99mjFuyPmgV6Dtt2SjGuySZYOkITjN8EX8uTEO9yAz95yINCb1K2idLRUbM2R3tTmBH1Y8Kturp/c4wOh6D6RGRXdKY9MzGvnKMOnrYF6piVD+jMlzMaP9quWxDcbkrSJCdRYy4NeBMiexDRJoaIbIo0ESlbG8SKHKEd9f/Vyh6/NxU0DUH+wbt0rVkEvhFbmfxyQutGaT2kyndyRQ5gFd+TGYoov8EK5L5amRjJQ6cE6uVZ3FBDyscaF4tG3E4qVR+A3sAiptcly+ww6DKIAuQSSuWonoq8aIRhxzO2esv2VxIElPcurTX7zBizvHsmKRTdRjwqhWESmIax7SHx2BhJSG
Content-Type: multipart/alternative; boundary="_000_GV1PR08MB7346DEE77D5AAE9FB6154D9ED31C2GV1PR08MB7346eurp_"
MIME-Version: 1.0
X-OriginatorOrg: allot.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR08MB7346.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 98bbbe9a-f3b7-43f8-23cd-08dec580979f
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2026 17:08:42.3033 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 789e5ff8-0396-414e-803b-13a424e9f5d2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cAVBUU9gTzmMZSx700gTRPnvvAJ6XqJmtW1M0YXsebtTOOry/ZThs9Ox9wCe78rrvcquCiNYNU+8KN6G+rfJgw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB8566
Message-ID-Hash: TRX7QPWWYHNMCTH4BVWPVTCAWJJG3E4S
X-Message-ID-Hash: TRX7QPWWYHNMCTH4BVWPVTCAWJJG3E4S
X-MailFrom: ystein@allot.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Nathanael Ritz <nathanritz@gmail.com>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FHnv98ny7QH4-3n2KvML6pE4tBc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Can we all calm down?

Were I to receive this paper for review (and I was on the editorial boards of several journals)
I would say as follows:


  1.  The new code is a relatively small addition to the original ProVerif, and thus it is enough to focus on it.
  2.  The modeling of section 3 captures at a very very high level the essence of what a KEM is.

As I stated in a previous email, the commutativity issue is an artifact of DH which is used to show that the two parties

share a secret, the new code (which is along the lines of what I too proposed) shows the same feature for a generic KEM.

  1.  The kem-leak rule models at a very high level the collapse of a broken KEM – i.e., the shared secret becoming directly recoverable by another party. I would have preferred modeling a more specific break of LWE-based ML-KEM,

but that would be both harder and more restrictive.

  1.  The kem-leak rule only models a strong complete break where the attacker immediately recovers the entire secret.

There can be softer breaks (like the MATZOV one).

  1.  I am not sure that all edge cases (what if the KEM returns “failed” or the FO receives invalid input) have been included.
  2.  All such analyses model protocol behavior, and can not answer algorithmic questions.

Don’t expect it to answer open questions like whether ML-KEM is broken classically or to a CRQC.

  1.  I personally prefer a more classic scientific paper style, rather than the more playfully literary one
                (and was it a Tuesday or a Thursday???) but chacun a son gout.

Summing up, the enhanced model does what it set out to do, namely adds a generic KEM to TLS
and shows that by exploiting the fact that decapsulating an encapsulated secret returns the original secret
we regain the same situation as for DH.

This is hardly surprising, but is reassuring that it can be formally obtained.
Had this not been obtained I would be highly suspect of the modeling.

Furthermore,  the paper shows that if the KEM breaks but we have hybridized it with a non-broken mechanism
that the other mechanism saves the day.
Once again, not surprising, but reassuring.

Rich – please count one peer review out of the usual three (but admittedly not double-blind).
Nadim – let your work speak for itself.

Y(J)S

From: Nadim Kobeissi <nadim@symbolic.software>
Sent: Monday, June 8, 2026 6:00 PM
To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Nathanael Ritz <nathanritz@gmail.com>; tls@ietf.org
Subject: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3

Rich, seriously, cut it out.

If you want to critique a work, critique it by reading it and providing technical, scientific rebuttals against it.

Counting the number of authors or the publication venue is such a stupid way to critique scientific work.

This is the second time you make this idiotic claim. It’s deeply stupid. That’s not how you critique someone’s work or judge its value.

I am absolutely certain that if the paper was *also* published on ePrint and *also* had a single author, but that author’s name was Karthikeyan Bhargavan or Cas Cremers, you wouldn’t be repeating this deeply brain-dead line of reasoning.

Nadim Kobeissi
Symbolic Software • https://symbolic.software


On 8 Jun 2026, at 4:39 PM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:rsalz=40akamai.com@dmarc.ietf.org>> wrote:



On 6/8/26, 12:28 AM, "Nathanael Ritz" <nathanritz@gmail.com<mailto:nathanritz@gmail.com>> wrote:

> Independent machine-checked symbolic analysis using ProVerif [REF]

This gives too much credit to one individual’s work that is not in a peer-reviewed journal or conference. Nothing against Nadim, he deserves all the credit for what he did, but let’s not overstate it. For example, maybe the first word should be “An …"
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>

This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.

v2.46.0 | Report a Bug | By Email | System Status