IETF Logo Mail Archive

[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

"Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de> Tue, 14 October 2025 09:08 UTC

Return-Path: <thomas.bellebaum@aisec.fraunhofer.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7066A73083FA for <tls@mail2.ietf.org>; Tue, 14 Oct 2025 02:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.297
X-Spam-Level:
X-Spam-Status: No, score=-4.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=aisec.fraunhofer.de header.b="0Dm/usFg"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.b="lVnkcCas"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6F5WsVezrnz for <tls@mail2.ietf.org>; Tue, 14 Oct 2025 02:08:10 -0700 (PDT)
Received: from mail-edgeMUC218.fraunhofer.de (mail-edgemuc218.fraunhofer.de [192.102.154.218]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 74CFA7308128 for <tls@ietf.org>; Tue, 14 Oct 2025 02:07:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de; q=dns/txt; s=emailbd1; t=1760432878; x=1791968878; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=hC3dcEhs36pz2a0cjjbkbpFNfm+Ff1Jgzl7JuMX2NBE=; b=0Dm/usFg1Q1nI1hWWyBLAw9pc8F1uujFEQGh6K4KltjnMcdd48Hzb0Ld 1XJs7hYmaWyXBy3EqqtJk0q2YdClXcchA2vtpkqf4TZvpYlvU+65gfvqB OPbeF7rtqhRdo2zPCJ90C5RQwrx1VFTBFyf1F+YpRLrK8j48GEhha2jNy Zh2e6ILnwlTJGigmWshWKm2cltHT/adIi8OZJJZqjaZ4nfKoanmj101QY 185/XZrwxICLe3qirDVu6WhDoPuQJMTB7HeblhRnUXh5/nHeY1CuyJzBL GWm76iEubmyQm+jT6+IgLWSMJUe4CLCTthTXMPicvQMr8+x6T1SkyBIXt A==;
X-CSE-ConnectionGUID: B1OosKfLQDKWFlEH/03DVw==
X-CSE-MsgGUID: hyuTpDdwQzin9952cNbKfQ==
Authentication-Results: mail-edgeMUC218.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com
X-ThreatScanner-Verdict: Negative
X-IPAS-Result: A2FyAABMVK1o/xwBYJlaDg4DAwcWBASCAQcNAYI/QAFALoE3hFWRcQOCPQGaMYErgSUDLikIBwEBAQEBAQEBAQQDAQE0HQQBAQMBA0OEPQKMJyc0CQ4BAQEBAwEBAQEBAgUBAQEBAQEBAQEBAQsBAQYBAgEBAQQIAQKBHYYJDAY0DYJbgScFdDACAQEBAQEBAQEBAQEBHQIPJgwqAR8BBAEdBh0BATcBBAsCAQYCOwcCAgIvJQIEAQ0TgnWCJAQSAw8TExQGnUScRoEygQGCDAEBBtspGIJABwkJAYE/AYFXgiSBBoNOAYFcEoMLcgGCRIEUgR+CDEOBFTWCRDE+gkqBW4N5gmmCERWBAhR1P1WCBYIqiX2DE4cVUoEUA1ksAVUTFwsHBYEgEDMDIAo0FRwCFA0iDxoFLR1zDCgSZ4QVg0VaK0+CG3KBAXRBGT+DUx4Gaw8GgRUZSQICAgUCQz6BcQYeBh8SAgMBAgKBEBACbkADC209NwYOG5JaEiFGgV2COxJaRCZHCl0GQxQdLQgPCwweLZJOs2kDBAOCNYFnhl2DM4IOki+DJDOFW5IFi0SHR4NylRQijWaWBoUIAgQCBAUCEAiBaHaBIHGDNglJGQ+Dc4o6FhyDQjOPAap8eAI6AgcBCgEBAwmSHoFLAQE
IronPort-PHdr: A9a23:LmVVBR2X6G5mclqLsmDObwAyDhhOgF0UFjAc5pdvsb9SaKPrp82kY BeEo602xwaWAdiAo9t/yMPo8InYEVQa5piAtH1QOLdtbDQizegwoUkLLfXBN3fGKuX3ZTcxB sVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizewb71/I A+qoQjfucUanIlvJ6kxxxbHv3BFZ/lYyWR0KF2cmBrx+t2+94N5/SRKvPIh+c9AUaHkcKk9U LdVEjcoPX0r6cPyrRXNQhOB6XQFXmgInRRGHhDJ4x7mUJj/tCv6rfd91zKBPcLqV7A0WC+t4 LltRRT1lSoILT858GXQisxtkKJWpQ+qqhJjz4LIZoyeKfxzdb7fc9wHX2pMRsZfWTJfD42hc 4sBAekPPehaoIbhqFQDthS+CRW2Ce711jNEmn370Ksn2OohCwHG2wkgEsoAvHnJstr1MKMSX v6uw6bS0DXDavZZ1S/g44bWchAhpvSMUqhrccbf1EIiEB/FjlWXqYzgJTyVzf4BvHOF4OpkU eKglXUopBtsojiq3cojkIjJhpkLxV/Y7yl5zpw1KselSE59Yd6kF5VQuD+AN4dsX8wtXXhlt SAnwbIJpZC1ZjIFyIg7xxHBcfyHdZCF7xbsWeuVPDt1mX1rdbCiihqv/kWtxO/xW82w3VhKr SdJjMfBu3QR2hHX9MSLV/lw8lmu1ziAyQ3e6+9JLE43mKfdNpUvwaYwm4IOvUnDECL6gkH7g a6Mekk54OSk9efqbq34qpKdK4N5hATzPrkylsOlAOk1NxUBU3WY9Om50bDj80z0TbRMg/Yri KfWqoraKt4epqOhBg9V1Zss5AinAje91dQYgWEHLFVYeBKbl4TpO0/BIPT/DfqnhlSjijZrx /TfMr3kHpXCNH3Nnav/cbt+8UJcxhAzwspC55JSCrEBJ/zzVVHrtNDCExA2LRS4w+fhCNpjy oMTQX+DD6+XPa/ItVKF5/gjL/SWaIMLuzvxM/0l6OTvjX89l18dZ66p3Z4PZXCkHvRmJECZb mD3gtsbCmgFoA4+TOj0h1KZSzFTenOyUrkm6TE6E4KpE5vMSpqjgLybxii7A5tWZmBBClCCD 3jobZ+IVOoSZy6KOM9ujiQEVaS9S48mzRyuqAv6y6F8I+rV5CIYqZzj2MJy5+3JmhE+7SZ0A NiF02GRU2F0mXsFRyIs3KB+ukF9zlOD3bJ9g/xZCdxf/e1GXRonNZLE1ex1F8jyWh7dfteOU FupX8imASssTtI039AOeVt9G86+jhDe2yqqHroVmqeEBJwx6K3c3nzxK9xhxHbB0aktl0MmT ddXNW26mq5/8BDeCpLPk0qEjaala6Uc0DTX+meE1WqOu19YXRZ/XKnZWHAfZ1fZrc7+5kPZS L+uB6gnPhFdxs6FL6tHccDmjVBcS/f5JNvSeWOxlHmsBRaG3L+Ma5Dqe2oF0CXbE0cLixoT8 mqeNQgiGiehpHrTATN2GVL1fUzs7+pwpmmjQ08x1Q6Kbklh26Ow+h4Jn/OcSOkc0qwHtSs7p TV0Bkyy38/QC9qAoAphcrtTYckn7Fhay23VrxFyPp+hL6BnnlMQaRh6sV7z2RlvF4pAlNIlr Gk2wwdqMayWyUtPeTzLlaz3b/fbN3Pv+Ru1drXKx1XD1f6Z/64O7LIzrFCp9FWlC1A/9n59z sJJzn+B473FCQMTVdT6VUNhs1AwuqvbSi05oYbVyTthPbT++mvfwdMBAO9jzxe8OdpTLfXXO hX1FphQLcWqLOEgkkWsKlo4POdX/bV+d5e6d/yD0bXtNutkmD+shHlCyIl8yU+HsSRmQ/PO3 5ELzuve0gbRBGS0t0uors2iwdMMXjoVBGfqkUAMeaZPM/QhNY9eE3ynZta3z48j2c2lUCtC+ VqqF14Kn9WkfROCYlCuuG8Y2REZu3W6nyu/wTFu1TYvq6uUxivVxOr+MhEAPz0DXzx5gFPhK pSzlYpfUlKhcg4pkxWo/wP9wa1ar754NG7dXQJDeC2lSgMqUv6erL2HMeJG9J56ijhdUum3f QK/R6XmqhQXlgLPTUBZwiw2cS3vhoThkk5fqUewaUh+tmHYfsci9VL635nxVfVR1zwJSWxDh D/bC0KVE/Kp8N6XxPKh+uq+AmKKDZFYXCnwlt2YpnGyvWZoAxe8leidvNPiUiY0iA30xd01d zjtnEzaSKS+hMHYeegyenduB1TX4tFDHLMioKUrr6EXxGMjubWP3XgWnl3pM4pH1fKga1QIQ SMQ8u/K4DLU2xB6MU2On9v2Vm+cgcVDQvOaYkMX+nkE9eVOS6GV8oVGpHFVjVrjpD2PQ9xxh zJa1cJ+yEIFhcIX4Sw8knqdO6E9JXBzDwq2mhCB7c+RrblMTT6XTbePk1hkje65I46ckDpVQ V/0UcYbHS1K5ZslNVbq7Wbotdu8SoHXOIFbpliViRDGl+9PNNcrm+EXgTYyIWvmpi5NI48Ti BVv2dS3sIeKDlhGpvvpRBBCPyDzZ8Qd9yurgasN1sqV3oX6Bpx6AX1LR5rnS/u0DSgf/erqL QeAETAw6z+bFLPTEBXZ6RJOoWjGDparMH+aPj8ey9BjTwOaP0tRnEYfWzBSow==
X-Talos-CUID: 9a23:4Z2GdW7zI23NlddThdss3hczHdsGfFnk4FTvDUuVKSExE5GrVgrF
X-Talos-MUID: 9a23:NmNGrgiloEh8ZWFVRxvqgcMpNNZ137yCBF80g5QA6pjZbydWMRSTtWHi
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.18,214,1751234400"; d="p7s'346?scan'346,208,346";a="13288409"
Received: from mail-mtaka28.fraunhofer.de ([153.96.1.28]) by mail-edgeMUC218.fraunhofer.de with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 14 Oct 2025 11:07:49 +0200
X-CSE-ConnectionGUID: vzpO7coVQ360KJCvkKVUsw==
X-CSE-MsgGUID: iXIy/p/WTnyW9wmXz4m3tw==
IronPort-SDR: 68ee12e4_21jPeJJqHvNoCmxneqQDn7Siz/t5xpj8evdt0SOYs+7KG5D NiiOPgACDKgYafnalhQ0XLlswv44yjJp1Jfj2EQ==
X-IPAS-Result: A0BmAwA1Eu5o/3+zYZlaDg4BAQEBAQEHAQESAQEEBAEBZYErgW5SQAFwMYEJhFSDTAOFLIh4A5xvglADVw8BAwEBAQEBBAMBAVEEAQGFBwKMTCc4EwECAQECAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBAQYFgQ4ThhUGNA2GWwEBAQIBEgsGHQEBNwEECwIBBgI7BwICAi8lAgQBDRMUgmGCJAQSAw8TFAICApJXj14BgUACiyWBMoEBggwBAQYEBNsiGIJABwkJAYFAgViCJIEHg04BgVwSgwtyAYJFgRSBH4IMQ4EVNYJEMT6EJYN5gmmCERV6FIY0kDNSgRQDWSwBVRMXCwcFgSAQMwMgCjQtAhQNIg8aBS0dcwwoEhAhHhNgPRdAg0kbBmgPBoETGUkCAgIFAkI6gWkGHAYfEgIDAQICOlcNgXcCAgSCLoESgioPhGsDC209NwYOG5A9ECENghmCCRJaRCZHCl0GQxQdLQgPCwweLZJOs2kDBAOCNYFnhl2DM5Q9gyQzl2CLRIdHg3KVFCKjbIUIAgQCBAUCEAEBBoF/JTmBIHGDNk8DGQ+Dc4ouDBYcg0KPNK0kRTM8AgcBCgEBAwmTZwEB
IronPort-PHdr: A9a23:idgAlh9MjKClNf9uWWy9ngc9DxPPxp3qa1dGopNykalHN7+j9s6/Y h+X7qB3gVvATYjXrOhJj+PGvqyzPA5I7cOPqnkfdpxLWRIfz8IQmg0rGsmeDkPnavXtan9yB 5FZWVto9G28KxIQFtz3elvSpXO/93sVHBD+PhByPeP7BsvZiMHksoL6+8j9eQJN1ha0fb4gF wi8rwjaqpszjJB5I6k8jzrl8FBPffhbw38tGUOLkkTZx+KduaBu6T9RvPRzx4tlauDXb684R LpXAXEdPmY56dfCmTLDQACMtR5+Gm8WxxpjWATOwRHhBcnpoHHz7uF/2iOZN9XYa74xGhqst oVkWhu3qjoiB2Qf2kyC2akSxKgOpCynpBdUypXtZrPJBtRlVZPaYMgjekpbfsRAWBZbANygY 9tRCMQEOftDnrjip2E/rkanGjarXLrgyiVJxXHU+Ica08QgMVr/xikkXNQPrk3WlY/VG6dJW N/r7o3E1DCEc8oG+Qvi7qvWKzYw/a6MZKNfSfP6+291GgfMjEq/qJD+Fmut6usy9HqB/9R4e t2xuVUusih8iWmWxsUWgdeTg4Yz90vfqn8h8t4ycI7wWAt6e9miCJxKq2SAOpBrRt93W2hzo 3VSItwuvJe6eG0P1J0E7kSPLfKdepWO4hXtWfzXLTorzH5mebfqnx+p6gDg0ezzUMCozUxH5 jRIiNjCt30BllTT58GLR+E7/xKJ1yyGygbT7e9JOwYzk6/aIIQm2bk+itwYtkGrIw==
IronPort-Data: A9a23:RH4AEKKQpVNR+BAIFE+RUpAlxSXFcZb7ZxGr2PjKsXjdYENSgzNUx mofWj+AaPnfYDGhc91xbYWz9klSvJLVytNrSQMd+CA2RRqmiyZq6fd1jqvUF3nPRiEWZBs/t 63yUvGZcoZsCCaa/k78WlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2+aEuvDnRVrc0 T/Oi5eHYgL8g2coajt8B5+r8XuDgtyi4Fv0gXRjPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzTJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGElMuGtIT/dhOWj8W1 t4zNjMuUC2YmLfjqF67YrEEasULN8z3JMUSqnpgiz/DBOsgQZfNTr+M6dIwMDUY350VW6eBI ZNGOHw2Nkuojx5nYj/7DLoinOCtj2K5eTBcrF+frLcyy2HS1wF6lrb3OcfTetuESN8TkkvwS mfuoz+mXElHZID3JTyt80KNl6jX2hzHXpMtRaK9xuw2hQaP2TlGYPERfR7hyRWjsWayRshCL kcO5zEysKwv8WSkS9D8W1uzp3vslgMGWvJUF6s/6R3Lx6bJiy6FAnMsTzNdZpohrsBebRUs2 kWEnpXRAiRorujJEXec/a2TtjS8JW4eKmoqaSoNVwBD4tT/rsc0lB2nczp4OKOliZj1CDvqw jzPpil4jrkIy8AR3ri9/VfJjijqqpWhohMJ2zg7l1mNt2tRTIC/bpGu6V/V4OwGK4CcT1Kbu 2MDldTY5+cLZaxhXgTWKAnUNOjxuKbXAy6WmlN1AZgq+hKk/nPpL8ga4yhzKA0teowIcCPgK h2b8w5Axo5hDF3zZ49OYqW1F5sLy4rkHo/bTfz6VIdFTaVwUw6lxxtQQ3Cs8Vrjq2UWqpFnC 6ynKZ6tKV04FZVYyCGHQrZB8L0zmQE762DhZbH66BWFibOxNWKkeZIYAV6wdeoW0qK1kDvJy vlxL8DQ9Rd7Vd/vUxnp7Ic8fFU4HVkmN7/Lquh8VO2KEix5Ek4PVt7TxrIYfrJ+lYtrl9b4w G2ZcWVlwXWumUz3DASEUW9iY7XRRqRCrWo3ECgvHFSw0V4hapaLwIZGULVvZpgh1uho7cAsf sk/Y8/aX8h+EGXWyQoSfbzWjdJEdi3yoSmsIiD8Qjw0X6A4djzz4tW+IzferngfPBGW6/k7j aarjD7AYJw5QA9nMsbaRdSvw361vlkfgOhCZFTJEPYCZHTT9JVWFAKpgs8VO80sLTDx9gme3 SuSAjYaorDpiK0x+9/rm6uFjtmIF81TI0lkJFTYvI2GbXTiwmmewIF7QLmpexLZXzjK46mMX 7he4Mz9F/wlp2x0lbRAPYxl959j2Ou3lYRmllxlOF7pc2WUDqhRJyja/MtX6YxI6LxrmSq3f UOtotB1aKm4COb4IVsvPwAKUOWy5c8Ioxb89f9vHkfe4R1mzYq5TEx9bhy+uA1AHpRIMacO4 +QoiOgJ4SOR1zsoNdeniHhP1mKud3YvbYQuhqs4MqTK1DU5+wpnWoPNLBP27LWkScR+AmNzL hC63KP91qlhnGzceH8NJF3x9Ot6h6VWnitVzVUHdm+7qvCcitAZhBRuoCkKFCJLxRB60sV2C GhhF2txAY6spz5Ipsxyb1qAKjF7Ji+y2xLOkgMStWjjUUOXeHTHLzQ9Ncaz7UkpyT9gUQYBz o6I6lTOcGjMR97w7BsQSEQ+iv3ETP5NzCPgtv2jPfy4G8gdXWK4rI6oPXEFujn2M/MX3Ufnn 9RnzMx0SK/8NBMTnZEFNpmn5ewQZiypdG1matN9zZwNBlDZKW2T2yDRCkWfefFtBv3t8G2qA fxUOeZKaUiPjimTnDY5BaIzfrh+xswt79tfeYHQBHUntoGHpWFDq6Pg9SnZhU4qTe5xkM07F JjjSjKaHkGUhlpWg2XrrsJUHkaZOP4qPBbd2sKx+8U3T6MzivlmKxwO4+HlrkerPxtC1DPKm gH6Pov97fFokKZolKvSSpRzPR2+c47PZb7Z4TKIkop8aP3UOp3zrCITkF7sOjpWMZY3W9hak besssb97HjavYQZAnzopJ2cK5ZnvcmCfvJbEsbSHklomSGvXMzN4Rxa30uaLZdPss1W5+j5Z g+eRfazS+UoWIZm9CUIUxRdLhcTNf2mJOOo7yawtO+FBRUhwBTKZoHvv2PgaWZAMDQEIdviA wvzoOyj/c1csJ8KPhIfGvV6GNVtFTcPg0f9mwHZ7lF01lWVv24=
IronPort-HdrOrdr: A9a23:FAyf3aghyxkpAhg7ZSaE/DMA83BQXvAji2hC6mlwRA09TyXBrb HLoBwavSWbtN9jYgBGpTngAtj6fZqyz+8W3WB8B9uftWrdyRGVxeNZnO7fKlTbckWUnINgPM 9bAtVD4bbLbGSS+PyKgzVQZOxB/DDoys+VbKzlvhFQpElRGthdBilCe36mLnE=
X-Talos-CUID: 9a23:JPJeym1usp26FqMKDGhVk7xfBNI9VSLWy0npeBHgKkRCVr62d2KL5/Yx
X-Talos-MUID: 9a23:gp/wlgmd4d6q1UoXsJ/BdnpjBOZ5pLzpN3wLgKpXpMy0J3B1YCuC2WE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.19,227,1754949600"; d="p7s'346?scan'346,208,346";a="43760584"
Received: from exo-hybrid-bi.ads.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaKA28.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2025 11:07:47 +0200
Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Tue, 14 Oct 2025 11:07:47 +0200
Received: from FR4P281CU032.outbound.protection.outlook.com (40.93.78.50) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20 via Frontend Transport; Tue, 14 Oct 2025 11:07:47 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=W1D9Z2YZsozC5B2SogyMHTWmK6oJ6GAmQPnxEj5lbO2HG0dDtLhtINSFEziFUSPhYL7PSWayCXmihW0W/1ysgyQj3uZds5hsfMnlaUm/YFMIhRxDNe2eC9SSveoiszIpN6B7a8LN+NQ9XWOqmccbQ8RwwzEegRXFGcj2GuQLjTbWUTkgJYtFoqYQGRjGp4mkK2Fw92UU34v/Gj+PEtqG8sbgkBK78F7LGcJ3K2AQ+H0I9PMs/MIpQPEI+BkSu9MajGDhuRO2tozamDN91MBgtu3oE0hIyv+qasFLwYQlVNgZ/N23piEjKHSeeEhemi1Y82jgCOQfmuQtsIvJhBNqOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hC3dcEhs36pz2a0cjjbkbpFNfm+Ff1Jgzl7JuMX2NBE=; b=m0bhd0paIDoUup8643C6aNjHYZOdnriuvx2wTDBocr2QoNmncg53nSpQN1CzbOD0nDP/kx+/jwtzbo8Hd93pgkIetLTG1mAgGDWxdnkOxDnWdBQQai+BwKPz7MQWCR5I5//tODESIKRTvkOS2FtMDQo+vyUhX8mM4WOBpBxT2pm7z2RgvABxeVf36PaAbduwh1u6CF2e76CtuYKQy3sMoc2ybBOcbKF72mO7vtgGa2iR56lSgi+8gXlgToBytplX8+8MC18ga39+2hA2r+yQeWRhQGgPUP74i4TkFY0BpwxJ9fN967DFTQMuwwvfiO5aa8YKzIHvdDlQDqQqFKKbsQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hC3dcEhs36pz2a0cjjbkbpFNfm+Ff1Jgzl7JuMX2NBE=; b=lVnkcCasQnZ4ZFsCXousQWHrHjygRrj7td86oFmlusYYwhRYk5qwWo01ghri+fJMBHhHiH3QrMl+nivQjQ2HGh3aW6JLdqm/tQ8HTwnKv1Ny47hQyGPQCZN2elajwGitsA0PTgW/zrxVpGWvZSaqAeC9QhjRc62mlNUss720Z0o=
Received: from FR1PPF809320EF6.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d18::f66) by BEZP281MB3286.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:2b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9203.13; Tue, 14 Oct 2025 09:07:44 +0000
Received: from FR1PPF809320EF6.DEUP281.PROD.OUTLOOK.COM ([fe80::8d96:d427:50b0:8ad6]) by FR1PPF809320EF6.DEUP281.PROD.OUTLOOK.COM ([fe80::8d96:d427:50b0:8ad6%3]) with mapi id 15.20.9203.009; Tue, 14 Oct 2025 09:07:44 +0000
From: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
To: "durumcrustulum@gmail.com" <durumcrustulum@gmail.com>, "uri@ll.mit.edu" <uri@ll.mit.edu>
Thread-Topic: [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thread-Index: AQHcOiWue4JrfcwleEiApQ2TQGUlRbS/7B2AgABXLoCAARxnAA==
Date: Tue, 14 Oct 2025 09:07:44 +0000
Message-ID: <432b22dccffb31c6af3afe8657f2c26b04609c10.camel@aisec.fraunhofer.de>
References: <CAFR824wG_3h3P0cM_oe4sAA2T9si2KteZRvi3UbzC7gs6hV7hQ@mail.gmail.com> <551EC460-8C2F-4FB5-B95C-D11DCD84BB61@ll.mit.edu> <3f2a02b66e77b648e008962493a956568e4e22a7.camel@aisec.fraunhofer.de> <BN0P110MB1419FADCDDF236E0481D365590EAA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN0P110MB1419FADCDDF236E0481D365590EAA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: FR1PPF809320EF6:EE_|BEZP281MB3286:EE_
x-ms-office365-filtering-correlation-id: 3e34f69a-e4a6-4fe3-474e-08de0b0122ff
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700021|4053099003;
x-microsoft-antispam-message-info: svLVhHaWC8fPWHKScIPokYS8YsxH1dcxGpX3+TNMN2dMf16ucT4hu06+8DBGwzucS39pKV21/wx9zQeydgDmEPymvdRfrJvUwQgl6Wg+euHWblxa8r2/m9LeFn+NR06n2L5eh8KQjn5UF+OMRWWx5IphpBwkzsm/fwPf9ffHBUn/xIOfGeoNLMTDvKyNoZKZuuKYsHxyEGNhAmgjP7li3FtMwpJ1AqlAjUr+5nAlhL7HVFadhvqP+3HxrU2M3FjjAJ3OCbM9/rybsfHW/HNBHLJsKYE3HYN8tNwLlatzZLeulckthS6Kgi2aoDIE+iCRU4YTs0xqinZd3nmeqNSLadRoddOF9FSwBAZTkx3BITSvw/PcX881zC8ukrZyxgTNy3IEpHk7cULCtVnTSYsl/JtobchzJhJ97YAXX78oqhwC9A19hQTEubZqJ+wXn7tkk6XlycZe1H3IyAENQ6Kkcy7QiA+Tg19HmjBEsd/EbLXduvK05AYWidxI0xXfRPptiRYSjbH0eGh2pPB+Q0ZRN3Z7YiO5G1zqaoWZtBMaxuKQ4A04AS4/Iterpy0kfZb5/YyG0yv5/Wdiq9a2GbCfUXxR8z1rxvJZ1k59/fm6wpkfGQTB9daMSSjApkM5PcjsdpRzX6b1Pw1WQvCQrLuGBfv4IuvS54umjyYPxqQTVcHehSw4ED5u3BtEZRTWV3XhoP0s4XI95uidch0Sx3Sm+MLp4dI0Zx/kmF9xAzapFt+7j3D8g3x9nrAw/x7i3BpD3BrhRlbS+pYLpefMepe4/PYntUP3Jc/equQ7HtsCRt0rhNWpPZ5stMtvpz+CrAJIUa7OkOJnEAmeu9K3cQo1LF1sbFV6tFPpLmn2tFT/e1YbP1bm56Tw84UnDF6wXR8OwtuI6xCiB4SyhmXRxiNt7211957W9fIx8Xx9I0w83Jfr7rzvxswy/3gUqItGWuGDMY6S4D8mw/bc9NWmaN8dC/PSMav3IEU3uoD3s3s4r0OsToTU/xTt5RyeROVotY8a8A+7YUSRNI8Re1muF/x99gn7OJnag+1ngzCcuA2MYKLcupZ5e3fMnQopa+vBXBoB0W3SminGXP81rtUV40bp1s0MOb+XU4YwEM+X8lMoonACXFv8WUSxuBXHmFBIOd8XgU36d22Mqkj/z+TnlZowFboe3uDtm3e5hEuUjDsiyiDkS5XkgQevE5j+krLqvmNDQoD89NVgfaNI+qSiJznLtTpA3G339WJYtrJbJnc27wkLUDagtOVAqnEShUWgfsXDU+3viELpsmW63Zqp/lKDixhXos07+R+yZ8hF/0LPgRjxXFhA9fgfmjko4y9UwolpFF5M1dM99U+XQNaFp07yRjeZMeE5dTirtOS1V3rdj3hOvUHHjDfSRBKFqfoiSTofy4uQtYyo/1rNiXrFvHE2sHg5b0nX5LuVXTi/YQw/hoUwAo2bykUxz8CblMmKYZvC1AZnPypUlN7CVJDCIl8FCgRBMDF2xerI32DH/z4deYYO+1JJ5FW/ggOGfhiJ3O0l
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:FR1PPF809320EF6.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700021)(4053099003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kXtZxXEShU4ujKdFKHG5NQ4pMSoRMYSbsO6m/Um4HqaRueB7Q8kP5gmRgh4zpCOtFzlCZrczE2Tn3cgb2k7F1dwyiFwj+b+cxjQdG1dY2b6uBHXC+fcvcAPCCra34SWv+4o3U5OFITEYJs55e6K+CD5cviL+4vSVE4XqDI4FSaJdgSg+hFtf8oXD55jCTYdECK0J3eS5Cd7fe9mOX2wgFlCbZ+fwc+UPSJTy6jdpeCRCU6Mz4GjyIhAbtjNYklOntrXw96pLhJeCOI0H6LxhGXeHe8EZ4aW4E3+vlwpGdcf8Of+xrRPdhQl9nfz8o5rtAmP1MSRITm4mXaM/fCUwYvX8+TX7z1j+9QSy/UepbrsglK4CMa8RDDpzA1ueBsowYPgeHDNRcQNSrFnzqqJKAM29NYOCTRM/l0YvPaRh2T0eXRzbqUZBW5nKdPDkXpcAEYzyv1dSsqe2Kg8v/O6uqI+1CTKGarF4wPlh9SDCjT/NK3/xQamEHUlaiIqOa7PSB33whSO9/iSgOXTpHOItOVnah5/2MvyzPK7vp7EklEkyma+xDp9i3w2ZPFlAU1UwE2xkIu3J4Uv/PvY8QX0/01DCF+ocnrGLcR3ZT4Jroq1ner1la+JNxMk0kxn81MGw1BzqClCgAuatd9B0SQ4SiFr4yJqSiAnSElKCUzW9DVroF+tbmQm//+oedq7CSQE9Ap0tmrvOx0TBxjpV44wy6FecQlD0z6exGAysoa+v6WoQ2CW2GuW1sViuHZEZYasT8qwsC8K5PCiM0D2LHAQTzyzUKAvmD3iTWzHVdcMgws2tyIKUfNjhkDm2yzrqNResnXsmBs2HwnB49rBtevU2i8tkaaZRA61zdKcyw7g4QdRES9I7CQq4j8tfc3FTgDlsGNR8wOsgXteTs5LPBjKIKK1VHnVwif7NuMX9AaONOn7qYURYnGlcPUN95qIg4TDmj+VNd0npd6NASnfKX+j6i78sHfEu6u2BlolzwcgOcTO9BVdBW5aeLVRF5GqlTj/TQpwSmvogYq4m/oKs9e/jCUcYQtn/OhF0+8gDKsIbSN+sFoQmVcVLUuuLyX1OCDht3whIw/vhysXjjQHJvZQI122nJ7w5Xygj8itwwso1e+ELCDL/pWJqnsLJJqtUpA59baUXk18t0SVCZ6XSDcskGBBwLSabeY8F99/XQ0PKV8+K3CCOxi59xdnUrkmksbUQnynmCMIXak/shbLpxTpy0F/6QQBbsbB0hkMflVDndyHPLhg4YJXb+Ua8qR3CRIobRutBF9LRy2W2+JnM/mFgXDDOig/kFvBMFX8uIboeHJtT11pXd6fqOIe0r5CWCIduiclKRVrvqKQIRnhTHtvgwmnJKGrLPao+epBoFWV/X3VPLKu7LrtWj9ZrUF516De3s535TM3YNje3tJD+H8Ee4zDaJhlQZB7w8qn9e7xGF/EDHIxGyrkS0YCRAIdxB/sDJNkJ4yDCa5WPfdR3wvRuW5ARRV3LFM2qaxyYAE95kXqQ0A+nhnAGig8TV+wgZlyySOysaNK9qDZ50gdfjtkctMqXBgttkVK5KqbH4uPof9PG1dEg3ufapdSgwLGyOe8kiGOTuIBrx9Z5wUldi+LFX3q/YR9nC5Dk6Is2C6V7k8c=
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-JQzhhsLIR49R+k72A2Zh"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FR1PPF809320EF6.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e34f69a-e4a6-4fe3-474e-08de0b0122ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2025 09:07:44.3012 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wwaR9uBO+mYHRw9TbgUg0YeKLLRkSHlMagufEmCu6ovXdtcbm6VMCF1JYiWl63ODJBM2TM0El7s5g+WzWj0aLTrbiY7caEBlPeJhvxpCWd+hOm+KONZYIsUCugWq7xyz
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BEZP281MB3286
X-OriginatorOrg: aisec.fraunhofer.de
Message-ID-Hash: 2ICZXNM3Q5ZEB42QZQRT2WGWAMQCAHAO
X-Message-ID-Hash: 2ICZXNM3Q5ZEB42QZQRT2WGWAMQCAHAO
X-MailFrom: thomas.bellebaum@aisec.fraunhofer.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>, "Andrei.Popov=40microsoft.com@dmarc.ietf.org" <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QdZAtBZgZX6yMvOpm4TLtHEGo7M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> Crypto is not the “one and only memory bug” – true. But we do not hold off from removing bugs on the grounds that there likely remain other bugs still un-remedied.

True. But we are not dealing with actual bugs - we are dealing with statistical bugs. As in "I expect an average of (say) 0.05 memory bugs per implementation of this particular feature" after accounting for implementations in memory safe languages, code reviews, etc. These will incur a loss in security insofar as they make the difference between a successful (or worse) attack and an unsuccessful attempt. I can not imagine the particular case of memory bugs making much of a difference in any risk-vs-cost threat analysis, especially because choosing an all-in PQ option also has statistical costs (see below).

> > When it comes to other kinds of attacks, a properly designed hybrid can actually be *safer* because instead of doubling the amount of wall you have to guard for your castle, you are building a second wall *behind* an existing one.
> 
> You need to maintain not one but two “walls” and worry about “interlacing/interfacing” between them.

The interface in this case is very simple. As part of the key schedule there is a hashing step combining the secrets. Any bug here is usually very easy to spot with a simple test against openssl s_client/s_server or whatever tests you have prepared to do a handshake. Then there is serialization and deserialization of the public key or ciphertext. All of these are fixed size for a given parameter set, which is good. All of the above represents the simplest way of implementing the hybrid functionality, so I do not expect much variety in implementation strategies. Maintenance of this interface should be very simple, and the expected costs from security-critical bugs here should be very low.

> When you know that one of those walls is dead (well, not quite yet – but “terminally ill with no hope for recovery”), and all your future safety depends on the other wall.

But we do not know that one wall is dead. Again, statistics. We expect with high probability that the EC-Wall is going to just topple over in a few years. We expect with some non-zero probability that the PQ-Wall has not been built right and never was that strong. Building up both walls will maximize the expected amount of time we can spend happily living inside the walls before the evil king gets to us.

> > On a more technical level, the primary use of a KEM in TLS is to derive a secret key, and as long as the PQ-KEM spits out anything at all during normal program flow, whatever output this is could be treated as part of the nonce, as far as security goes. So the additional attack surface is basically nonexistent.
> 
> Additional attack surface is not in the crypto theory, but in the implementation, particularly in the integrating the two “walls”.

See above. It would probably be helpful if you could describe a few bugs you consider likely. In case this LC does not pass immediately, it would be good to incorporate guidance against them.

> > This is now for any use case not requiring confidentiality for more than a few years.
> 
> Why would the users of that use case even bother with paying the cost of exchanged messages size increasing the by the orders of magnitude? For apparently zero benefit (as we don’t expect CRQC within the next few years)?

They would not, for the same reason that PQ signatures are not as time-critical right now (at least for TLS).

But consider the less obvious examples I mentioned, which distinguish not only between attacked and not attacked, but also consider the cost arising from a successful attack:
An ad-company would be more interested in my current situation and interests than in my situation five years ago, even though my interests from five years ago are correlated with my interests nowadays. Similarly, a dictator could execute anyone speaking against him right now, but would at least be interested to know who spoke against him before he came into power.
In such situations, you want to maximize the expected amount of time until your castle is breached, and a hybrid will do just that. Yes, any EC-Wall will likely fall in five years, but the damage will only occur if the other walls also fell (hence the PQ-Wall), and will be less than if the last wall fell tomorrow (hence the EC-Wall).

> > **and** PQ algorithms falls to a classic attack (like SIKE).
> 
> 
> 
> 
> Google KyberSlash, which is a classic attack.
> 
> That's how realistic this is.
> 
> That’s not an algorithmic attack – it’s an attack against implementations that have not plugged their timing side-channel. Such attacks exist against many (all?) Classic and PQ algorithms, they can be realistic, depending on your use case, and there are known defenses against them.

Above you wrote that "Additional attack surface is not in the crypto theory, but in the implementation". Hence the algorithm by itself is irrelevant (That will not stop me from praising said algorithm while an evil king hangs me, though). Again, statistics. There are differences in how often timing side channels occur in X25519 vs. DH on P256. Extrapolating from KyberSlash, we seem to have much less experience in designing PQ-algorithms which - implemented - do not suffer from such attacks. If it were possible to implement ML-KEM (or any other KEM) in a black-box-hand-it-to-a-mathematician-and-it-will-just-work way, I would implement it that way.

> > "Harvest now, decrypt later" plays no role in deciding between a hybrid and an all-in option.
> 
> It does, because in the end, only the PQ part determines whether your harvested-now data will remain safe or not.

...which is present in both aproaches.

-- TBB

===== IETF Stuff =====

This document may not be modified, and derivative works of it may not be  
created, except to format it for publication as an RFC or to translate it into  
languages other than English.

v2.35.0 | Report a Bug | By Email | System Status