IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

John Mattsson <john.mattsson@ericsson.com> Fri, 07 November 2025 07:11 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5F4C885161BB; Thu, 6 Nov 2025 23:11:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PL8Oalupccng; Thu, 6 Nov 2025 23:11:46 -0800 (PST)
Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazon11013027.outbound.protection.outlook.com [52.101.72.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9F91C85161B2; Thu, 6 Nov 2025 23:11:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uZFguo2eAhwhu4/EpQMWM6w5y4xklWGPZAWCgBnEQNBSRDN+0YYJsCgDi9aq3AleAstCk76ulhs7hzPc/myIBJkJ27MXq0KIbIe1lMYk33sF/sjgF2ZO0S0aES3YD9IQbqdGWsOGui+X1yXvsmt0aIr/jXpk55ncUAVZcqFnn6jnB/tTZ20ffaINBKFNQDS0pAgqQvAEa3vvfzJGvu1iBewCjm3/a0x8PE9/X4A2Pb56phx+aM/sFNhJfb1U0HEMDfjoMhR4wDzpZFHVAd0NMs+1EaEVVc6O5koY1orbGyIfqn7dFgUoSM0eU1t7SO5nwSeiqqn2QAyjeP2mvDFRzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TFxQF+rPOE7C+UsPgx2GfdoJJ9E6FK3AP7WkSLtfJ/c=; b=mJiFhewPCSnw19AkNLJn/zixdKkwJ2XFn6BOYE1r+IteYqmpHaknsI9e2YQ97Xyw2OH/J3hXaMlx7WOa2HDcupjAvb6d1/qvrevjI5NwPOr47LORG427brnpsdEt5Im3fEl5cUt5L60zzWdqHf7W45qLDtgWwoI3Uq1GmJ6gso+Eo46R1zy98yATSgZ0tWxRgN3AhXfgXgTJZw1F4v8yUHgUXAUwNfEj3lezD16wnVo2X431Xm/wAMdNqC5dL+gjwaixpki29qwcJdyGQ6Y/mJViInCOgtAWLbz77s/GY8agygJXMSgmhYlQGhtI0H95O/IO/Yn18mpOF1eXTEiRbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TFxQF+rPOE7C+UsPgx2GfdoJJ9E6FK3AP7WkSLtfJ/c=; b=o3ARp8BkYZ/SwvPFBb1wskbON3LaPIgqmdi7uXmL11soBrGXHHbxhmWcOJwVWQP5ctJcwH4tXBS0SiCphLqF4rHklSjIPwYXBFDkqlzXQpEii8WIeTE577ZBpmqYG+RM6c8zVyX4IIk14gIYmzuCXW/wmF+fITUJLRFNUCpYAjXB4mPaCUOUlOPPDWqQrRF7hQEoE+M2DIhKrVayewxg9FuzFfcXBxdZManLXkr6Y85EmuWMkPUVD9d0Tm9ANe+z07+hcg2Xpnm3i6nM1+cOR1Ny/hdYC6pdnYF55/iFkgDraep1Vg/mhv+s0QQV5RDiP34Rr8qw8qW95/GgJq+h3w==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAWPR07MB9806.eurprd07.prod.outlook.com (2603:10a6:102:380::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9298.12; Fri, 7 Nov 2025 07:11:36 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9298.010; Fri, 7 Nov 2025 07:11:36 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "draft-ietf-tls-mlkem@ietf.org" <draft-ietf-tls-mlkem@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "sean@sn3rd.com" <sean@sn3rd.com>
Thread-Topic: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
Thread-Index: AQHcTxz+Pmak1XEoOkaqrY4x2In2dbTmy/Ig
Date: Fri, 07 Nov 2025 07:11:36 +0000
Message-ID: <GVXPR07MB96781826FAEA76A7A1F187D289C3A@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5> <d8ee7e39c24d31457298b0a3deaafe501e31fbe0.camel@aisec.fraunhofer.de>
In-Reply-To: <d8ee7e39c24d31457298b0a3deaafe501e31fbe0.camel@aisec.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAWPR07MB9806:EE_
x-ms-office365-filtering-correlation-id: c014150b-33e7-4081-b49b-08de1dcce3a8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700021|8096899003;
x-microsoft-antispam-message-info: h+RjQYDypP6t15fn9AbIX/pOWXXMa3+Y68Z8/fbcbhz9+urhsqkd6uNolqGobKhSEMdj4221gdVDBnU5sso914YGttNUTpbvKKiNak/0T8PP31LnPsmVrDOvQdWrixaCLqeacA5nMfKVTWYx6AVZBnSrvK9xhAHmEG+IHpHKZbKtR3E/kG2jJ1KWx9D1mliIOYBhknKvG/JgvYn512PqMq4clP1QQBG0HfJHq5GI54OpZFAftcPFuf4e5n1qvZJplt/Hf8YoT81ehN0bM285bjiobuRj20fdds2VAFEwij93OxDJ1m9alI4JhzEVL4Y0Fna6y8kP8OIhMl4R290cniW5c7UVOgwWxRZNdnR7BAAzPMYo77cTMNAzQb7NF5KOquTsXZ3uR33lcMAoJelbbx3L2rzJ+cM/A8hrtac/AuP2tv+zdzfdxnAWeWdMmjYW4EodiZAKE/+ur3r0GfnaPbGUrurH3/S9dfAn18YmzWVMXm+X2YADvRpdqXi+TOycSwagNhTsaOwi+htVWTQesA1aZFOSoZn9jlqyai/cCjjJ4bmzSIEiDxEbP6wh9w6cu0zmtHfGKlqwd0TJcp6rJLP+5O8v0usVB+tbEAWvcmxqVt39iRNt7X91KWSJgVwDSNS1fGnDz2b4+hsw+z6GjtH165VLPhHTJzKNAdpdOfVkqeWZyG7YMPmERzfDpYW4c2teCu/sh4UmK7b+q/Y/Xp5hn36Q3Fgdh/BU0Sml8WkFjvqa/rI+JAs4b3UyCpaU2Clj5Nls9r1d3Gu2NqYrPh537zAAtCTcBEEBmsfj+JD/eAq3/u8BnNRqDZugICbmAAgpiA/Gcuo4aIEtgvHS1sP+05K4EssZAuCg6rXN98xBEZ4XAAZvc9lRY76pszU5DMlzZE7qnHhSgPn972Odvfpt2UN14otWLG+418ozOCBrk11Couv3PJhD+eMQ967jXXQdPzCGSd9V3J+xBx8jLFZerAv5JAm+JMILUCOE9xqperXgGdSXLieQZxjQwIJ/hERQHneMmeAL9mt1lPOPRO7vqBMrfFXaTiq+EdneES8IISj8uyfvPxWHSIBV1xf2XPYZvJ9JxaYTZYZxLnG3ttzgGq+W6tL7ks5Qaq7aqDaxasEw+SkzKfSZBJ0hoRV70Dkc5hEAYVuL1WL/43Y5uReIaIkeSI+Ac/TeY57NBcqknqE/6VSber3yVdnNp1HMO9T3siLdCR/Tmz5d8yh9mgS2GBIBxeace0jkapntxWglmTbLt2gh21736pmDur4/rcQSL/U7EMLeSTenHeCm9hoePXAteSZzWDJ6OJ56M6U/bWapuUPzifhuOUxcZjP3TIKBWO3QLzqNajZv+vSC8fjNBUcSBRHdFPQvb6RUC7oH2hpamtOsKE8jxFApDVJQVMbBb64KaE22OVkHg1yFWGWNa1e3zNiC4iPqI3ohf7Nv61QYIcAWylEB0Cgp5Qkfh5fvmHUdwdw6bx3CCYuf2TkWSt+QxcU8CxmiMeo8yRbuWlx3HddoAl35UE4p4woq
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700021)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xRAQROJcVoezVyd7juvLeiDJRI983wTi6AtCYenACszt5UA2tCVwnkk6Kmbw4fIceLCQ4vMyzE7z5gtM5+Oso3HfauN/vW5khwLpc0sYXQaWhhDTnbzCwxcFzQYJuKd65Vpak1NsSf/hvO4zQddeCbMUdG4Sn7FIZRiVd43HZYb4/SRkaUpAWVPdWxALiw7SXVSe7h5btOOX10M5ZDPjzBbRkrml2aOGlC+cx3Y4YYqYPlgbvo3MbJmwULw22FDYXKagpiMSU4WiCs+wh4bPZzZDv+514/3+244Eo+6J33AQ+o6xG6fHwO1YlTvTGzrMqJgZzd37Vt/OjH802NjFW3etTQx51OTlfAdTaB60WXRXxNPH5bXr608PaM6UXAhyasbcMm3dbzIwhZVEo38CY6pXd0Sy22DMjEN1+0HjsuAWPABDjbTrA8r+WEHf/t2qzDceFUxtR39lKzdL7BVJm92+pWoWfm1sHPQlR95uYciycRfwvQKbty+WoKn/g8hI1SISxUJWH1SFdnm49tSskFbsOpUdliNBBtrHSJony3oUrFsLlKuzZFtf+LRG01VyDuSuUYkkcuqNH/YkPNwd5TwRJoaTMme8aOrNVcL+hCWugBrbGTP+GkzKwZOnRt2j85C0WH89/A0CIDCRozmbgwN501JozMDUV+9KIsy8TJgRH8+ZoaqQApJJB4RAG9v21gSDnRqwvzOZqLoQ91vDp5be0dmFKEqa95vMw91/imjsWNzN9xgp5dXJYTts3uRAsNGYbqe+jPfEsuhz9tDWJHW+nhMPPrU3q9lj3s8SpmxCiithOnfyCw6wYAy4c90o4tYe+AZxsu/gM+PhvCpEMTtPa3sZs5o1X3B4YzI9omwQkaeLZHsMeEu8/lm6L59+Ft96CH2uw9D41jy1zgrOFGuLqwbReKQj9G63U69q/ScevH5xLc9YPGP6PQDY2gYuU9NguboDiypHrTONuaZvueUNEVKG9iRGdt3CBoFCXLdZ8BCrksGnbewqEnaTW3RLJ/B7Dg+wjExBl4zA3zOaSgBUTWlzK5kACxQfWJpgMSMGtec1yK9SUQ63fSxspxAPevxhd0DabOBJ/DMj3+yIdMGTVkG7bZ9fCiTA19fXte0XkxZtvUAj/vn8COhp/E3opRGTqcYWMQW7OkiscLhkE88vs0doy19brrOCbqeZ8t7WYruP/F1+IDp8HFwMWGwOh7vkgo3yeMlzOxGIx8FGkdrYHH8i3QisrT4oj0AHxuxBHoIUAGFD0ug5+OidKhpJY6149cjhgh+YVzSCP5S0iMlfx+p0rnydDx04M6gmRz0RXtwFX2VCBhcAlpFRuNXFEMSkaXCdI6FZSzQ09SUhOA/TmB3cDl9zOU8jAJcgSZUtzpruiXTzPgl7VLZsAvSsWz3JsmO2j0jKXEB5cMV1ih7jaS/3zm4EMeKcFGBC8jeZJq57fl1XDaRANw/Sz9nQVyoMIRbTS8vTYu9PiMRRckAtEWe/tPP4yQ8/aOKXNsTp4Zngl//zT8FZ+SqtdqNEEhUgbyFDoIEArMoVt2ruYwOK78d/gWFGqVHOQ8zl2BIyceTEoJQpltHH/jWiVnnfJp8BL8SeXXuwC1Rf/DyvWXBsqXzFijVPAPHopba57K0=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96781826FAEA76A7A1F187D289C3AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c014150b-33e7-4081-b49b-08de1dcce3a8
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2025 07:11:36.2895 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /VkcFHLgdJckzB2Kc3JoKN4kfDGIHhYMM4CMMjuZ73Tlk/XSOV39TaH9uFEmmZGIeknrWTAefANR2PNRNtJXOMVKVV/t5soVWes9EGe624g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB9806
Message-ID-Hash: FOLCPPV3NTMRHI3RFFX5GGC2BOJGDK2I
X-Message-ID-Hash: FOLCPPV3NTMRHI3RFFX5GGC2BOJGDK2I
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Wc0tnrJX0AwMnjBspeM3pxCwEoU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

I support publication as long as the major comments below are addressed.

I think it is correct to publish the "groups" as RECOMMENDED = N and then discuss all algorithms together at a later stage. I can understand why some people strongly prefer hybrids to protect against implementation bugs, but I do not see why standalone ML-KEM should be marked as discouraged. It is a very well-studied algorithm believed to provide very good security. European governments are now stating that they have the highest confidence in ML-KEM. I think the recommended level should be above P-256, X25519, and all other algorithms providing zero security against quantum attackers.

Major:

- "The KeyShareClientHello includes a list of KeyShareEntry structs that
   represent the key establishment algorithms the client supports.  For
   each parameter of ML-KEM the client supports, the corresponding
   KeyShareEntry consists of a NamedGroup that indicates the appropriate
   parameter, and a key_exchange value that is the pk output of the
   KeyGen algorithm."

This seems like an explanation of the "supported_groups" extension, not the KeyShareClientHello. My understanding is that "supported_groups" represent the key establishment algorithms the client supports and that KeyShareClientHello is a subset. I suggest removing text (incorrectly) duplicating RFC 8446.

- "For all parameter sets, the server MUST perform the encapsulation key
   check described in Section 7.2 of [FIPS203]"

I completely agree that NIST requirements should be followed but explicitly mention 7.2 and not other mandatory requirements like the decapsulation input check in 7.3 might make the reader wondering if the mandatory requirements in e.g., 7.3. can be skipped, which I would disagree with.

-  "TLS 1.3 does not prohibit key re-use; some implementations may use
   the same ephemeral public key for more than one key establishment at
   the cost of limited forward secrecy.  Care must be taken to ensure
   that keys are only re-used if the algorithms from which they are
   derived are designed to be secure under key-reuse.  ML-KEM's IND-CCA
   security satisfies this requirement such that the public key/secret
   key pair can be used long-term or re-used without compromising the
   security of the keys.  However, it is still recommended that
   implementations avoid re-use of any keys (including ML-KEM keys) to
   ensure perfect forward secrecy."

This is wrong in many ways.

FIPS 203 forbids reuse of ephemeral keys, which applies to this draft. IETF specifications referring to FIPS 203 may not use the same ephemeral public key for more than one key establishment. TLS WG has not discussed violating NISTs requirements, and I suspect most people in IETF do not want to violate NIST requirements for ML-KEM, I certainly don't.

Ephemeral keys should be independent and reusing them has a large number of negative security consequences. As stated in NIST SP 1800-37 “Addressing Visibility Challenges with TLS 1.3 within the Enterprise High-Level Document”:

“Reuse of a key share allows passive observers to correlate different connections. This specification discourages client and server reuse of a key share for multiple internet connections. Reusing key shares outside protected facilities can also expand the impact of security breaches.”

And the above statement from NIST is too soft. If you believe in zero trust rather than perimeter security, reusing key shares can expand the impact of security breaches even within protected facilities. Moreover, reusing key shares also weakens post-compromise security.

Minor:

- I think the draft should mention that ML-KEM is very very fast. Suggestion: "Optimized implementations of ML-KEM achieve key generation, encapsulation, and decapsulation operations that are faster than elliptic-curve Diffie–Hellman mechanisms (such as X25519 or P-256) on modern 64-bit CPU architectures with vector instructions."

- [AVIRAM], [DOWLING], [FO], [HHK], [HPKE], [hybrid], [LUCKY13], [RACCOON] are not used and should be removed.

- OLD: key establishment mechanism (KEM)
  NEW: key encapsulation mechanism (KEM)

Cheers,
John

v2.37.1 | Report a Bug | By Email | System Status