[TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3

Yaakov Stein <ystein@allot.com> Thu, 03 April 2025 12:29 UTC

From: Yaakov Stein <ystein@allot.com>
To: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>, "jschauma=40netmeister.org@dmarc.ietf.org" <jschauma=40netmeister.org@dmarc.ietf.org>
Thread-Topic: [EXTERNAL] [TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
Thread-Index: AQHbo9b38eZrQAXbUE+yipi8PY9TWbOQj5kAgAFPcJA=
Date: Thu, 03 Apr 2025 12:29:11 +0000
Message-ID: <PA6PR08MB1070754B0D9A2EFD728B51DE2D3AE2@PA6PR08MB10707.eurprd08.prod.outlook.com>
References: <582917A1-F936-4A15-AE9D-342076605BE7@sn3rd.com> <Z-1AGna12NAYHPl9@netmeister.org> <6ff838df0794e75225d9e9ce9f53248c9bdf4235.camel@aisec.fraunhofer.de>
In-Reply-To: <6ff838df0794e75225d9e9ce9f53248c9bdf4235.camel@aisec.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7B1+MA5SREwyE2LXF4AIM9tFLB9pG6IYGdECsj+T8yi85CKHHeeHOK5Z/+OEq2PwJxK3HK/ZnhaU/gYusMFy9TWD/2AtpeYnGStqN8WuFWikcypwgYiLJlvkT1+IlRTB59FuphJPeWHhp8bPqna3mwJAH+UmsP7wH3aQjpruM/+ZC7SgL69+fTb706/uhZtA066KZllzRnspVGYsyLU2Pbo0bnkm1SAPa9wMfEXWlMdsGJUSVBVqUeV51C7aUi+vWaBxHjJbyJUvYNIWB6p8qfb+Q/RAhRlqVOSJgVe5zjHjiw9MzwQ+86ALz90Yd8qFXVrwEn+GzsYNRqXKo4fHWBhpfwW9zpJ0JqhgDcjFTGYTpc0kVYt7WN1QKwCLJhGHRmHvAcKBfJhFvSgTjl1iD0hYpvmbqnshjb8GURfqKgy2Z1YDZ2wcQOKTMj9GAKsj+e9xn1o+XOAz6kIXqiKh8HabmEr9T/rRPqXBtQIwgt58g1vcx5h6YTxARGVbqQjrpqC014N6Qk0N36J7XRmLvxrUVzkp69Z58RGm8FhWkZQbIWaNwWW58BZV1HBK5UHPcTntr0DD8V6bC5Jl2MY0Wd47kiLSY6+M07M/7ccg7FlWT5srF1QQP4UzHDfyPFEycvGtQlgPkE66/O++csKbvpMNpsozt3kR8tzvJj4bm9ws9k0MVlPnnahBWfBUJQa4PmoKPsXFgZcF50SBX3mZxELK2nLArVMwntctNTGT53WGyK+maO9+9zFxEAmx2UGA2UPwQSWQ1RnTepzefdSMItVe4LCvpKHf1XvRNwAT9rHbL6UPcvc070spFI9s43bYoEe3e2IN5+rY03vq76tPMSZ75Zh7y7LJc6XhHap2S2HxDEqtmBxdPGKxXfxC1guFOqBia1Ws9DBrQoc3K5h/62+OJGXYHeaFz3zxUR7MS3E9K8D4LyAkJh6/kITvb7rE6uwXKjXkLmV6U2dK8pY64YgxyXmROOCWPh5aM7Zrid0fHPYwD5u1mK5WJD2ae0YyXvWDgA+tprrlwfGg+2dS49DYaW2COIRVV69l0jeMb53oJXMjSzHtUW4STgap7MvXt2+sKTGafu2nF3WLHnkrpprJUE2EWFILSxEZplFN2g7YilDFZ/FULFqr0EviZ4K34NqI1BJzvmowmXNwHw6ZuJP8YWscT6ZWGOjtuWFoXQcPCOcqXjWiNJ38BIQUSVtbUTSBNkbslbNiwcmGkZq/HbrGZmI1s/bDZBBOkr923R4I5r6aLWp8s35tmXib27u53l0fpipkvMZlhxahOKn0ZTGsICrrMyPeCZ1pHa42DffEMRbusIgaYQ117G8Vs31fMouvCnrgSUaH+yuoc+QHBXeQGzlZaRjcPSF5EiYP+U9MRGiRUv2KUYOzz61PeWz4CKyP3bLPrQdZsXjYkMRfzQ/CpAZeARYIHI3VuSheWZsK2zpl0w4g8IFNZbmOGN1M5Qslc5xtKip5yg0oBqgyq10af++3wRD1QxIDZ81GYNf+7K9BL7NuII2i/KWHdXgK/gKCpZtFi/pYGeRmBxv60pGMBzmg+ikMJs51kpk6rmg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: allot.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PA6PR08MB10707.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3c953ca1-7f96-4ac0-8361-08dd72ab2357
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2025 12:29:11.3962 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 789e5ff8-0396-414e-803b-13a424e9f5d2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h0b3JAG7Bl68H7kPougRFkoz3m1CQtbXiq8vh84yWbLrwfdsGj9o4EXvePc2Maf050Vak/fr+rGLNl1Dpnw4Cg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7381
Message-ID-Hash: EGTV4ALSHM75AUZU53J3L5F7YQDEQQ3J
X-Message-ID-Hash: EGTV4ALSHM75AUZU53J3L5F7YQDEQQ3J
X-MailFrom: ystein@allot.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OvzBjUUUA5GltbKWOgVsgvx9_Gc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> Even with Recommended=N, I can imagine many managers reacting to a presentation on "YOU NEED TO USE PQC LIKE ML-KEM BECAUSE ELSE..." by googling "deploy ML-KEM now" and being recommended this rather than a safer hybrid[1]. I am not convinced that such a person, if given more knowledge, "doesn't want to do that".
> [1] After all, the manager was told to deploy MLKEM, not this suspicious X25519MLKEM, whatever scam that must surely be.

Really?

I asked ChatGPT "Should I use MLKEM alone or a hybrid ECC + PQC combination?" and received the following balanced reply:

The decision between using ML-KEM (Kyber) alone or a hybrid ECC + PQC combination depends on your specific security and performance requirements.

Considerations for Each Approach:

ML-KEM (Kyber) Alone
✅ Pros:

Post-quantum security: ML-KEM (Kyber) is designed to resist quantum attacks, unlike ECC.

Simpler implementation: Using just one algorithm reduces complexity.

More future-proof: ECC could become obsolete when quantum computers become practical.

❌ Cons:

Less tested in the real world: Though NIST has standardized Kyber, it's still relatively new compared to ECC.

Potential hidden vulnerabilities: Post-quantum cryptography (PQC) is evolving, and new attacks might emerge.

Hybrid ECC + PQC Combination
✅ Pros:

Strongest security option: If ML-KEM is broken, ECC still provides security (and vice versa).

Defense in depth: Combining a well-established (ECC) and a new (PQC) algorithm increases resilience.

Better interoperability: Many current systems still rely on ECC.

❌ Cons:

More computationally expensive: Hybrid approaches increase handshake size and latency.

Complexity in implementation: Managing two key exchanges means additional attack vectors if not handled properly.

Which Should You Choose?
If you need maximum security and don’t mind extra computational costs, go for hybrid ECC + ML-KEM.

If you prefer a simpler, efficient, and future-proof approach, ML-KEM alone is a strong choice.

If your system needs to work with existing ECC-based infrastructures while transitioning to PQC, hybrid makes sense.

💡 Current Best Practice: Many organizations (e.g., Cloudflare, AWS) are using hybrid modes during the transition to fully post-quantum cryptography. If you’re designing a system today, hybrid is the safer option for now.

Y(J)S

This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.

[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… John Mattsson
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Thom Wiggers
[TLS] WG Adoption Call for ML-KEM Post-Quantum Ke… Sean Turner
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Russ Housley
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rebecca Guthrie
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaroslav Rosomakho
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sun Shuzhou
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Martin Thomson
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaakov Stein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Kris Kwiatkowski
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Jan Schaumann
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Alicja Kario
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… tirumal reddy
[TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Yaakov Stein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Joseph Birr-Pixton
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
[TLS] Boring cryptography, and the opposite extre… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Andrei Popov
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Scott Fluhrer (sfluhrer)
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Boring cryptography, and the opposite e… D. J. Bernstein
[TLS] Re: Boring cryptography, and the opposite e… Bas Westerbaan
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Quynh Dang
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Andrey Jivsov
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Benjamin Kaduk
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
[TLS] Re: [EXT] Re: Boring cryptography, and the … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Nico Williams
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Andrei Popov
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
[TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Deirdre Connolly
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Benjamin Kaduk
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Loganaden Velvindron
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Watson Ladd
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Andrey Jivsov
[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… S Moonesamy
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… S Moonesamy
[TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner