[TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
Bas Westerbaan <bas@cloudflare.com> Wed, 16 April 2025 09:51 UTC
Return-Path: <bas@cloudflare.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 593FC1CE0EA8 for <tls@mail2.ietf.org>; Wed, 16 Apr 2025 02:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id huVuza1Pdy6p for <tls@mail2.ietf.org>; Wed, 16 Apr 2025 02:51:30 -0700 (PDT)
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0C1D01CE0E9D for <tls@ietf.org>; Wed, 16 Apr 2025 02:51:30 -0700 (PDT)
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-6f768e9be1aso5748177b3.0 for <tls@ietf.org>; Wed, 16 Apr 2025 02:51:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1744797089; x=1745401889; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=74SMcaM8caRze0L6O4HJqgPuYY35o8Jcj0VpZKQsGXc=; b=es8JrQJXwbthd3nn09dgB8KVFyyS4zJsB5gpI58mvpGO+rr0Pkl46txYQnzmjpAT4w nNFWS94RhwKNgJs83NFjn6hdh0lY8cfDt3ZGpPIqf578pnPxxQvx+7S9WF8s7zXLH1Yo iqQWFz4WVOgzBWe2Sj7bVh4W60hwIaZpDttQCjNDlunO5Pr8KLTxXcjok+PU5QIOF08F L3BTX8MputGhGB0ZCecE3IRmPvXJQm0mRi4UuSTy+9flbEK34pBlefa8ObeskReGEeb/ l2q2Rp4Bi32yR+dAE5PEHlGofwzMW/RsL6fgVawF1pitbkR8ySK0B/P7oSOwWb+fVbWe 8suA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744797089; x=1745401889; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=74SMcaM8caRze0L6O4HJqgPuYY35o8Jcj0VpZKQsGXc=; b=k/fd9RQ4L3sO/R8GOE6O+9Hmez9eIJzlqd+i3b/UH0LQBMeLLCepQT6/ZTFWn/yz0J ePocQm9JliCicytPBYyaU0HLx3tpPq0k1iJJQQliNUjeKLdQgYodWBFAvzlGpjyOd+RA iYmEEvBZp35359pjoAP6d5jxwmcIq5LPCMP/wgta8jblQDZIgvhOZmkRvEo3YTuNQVJ8 IK3cxCcDaVgsjWkTSWjwswQZeu3lEi7XAOaOrDc9XuMjXHoG5VUo5jh8pmAo+kJwQrlc KbC9PycjaRc3e+dy4s3trPPlTtRezu6YMmkCefPHVsE9kdiwED+Wr/Dk4Cb6BFBVheXp qHZw==
X-Forwarded-Encrypted: i=1; AJvYcCXvVwpIoTE5FIZ2ljTLrRazGxF6VewxWBol3I8xppskTeQIY4c9+5CFYxyFB0cLya92VB8=@ietf.org
X-Gm-Message-State: AOJu0YyJ7sH7KeN7LYnC6F5Pv0C1l+RS0lLb4BguvUdhUf1eoE0aYCTv W3XSbJjAGuDEq7VxY+Qztfa1otnqUFZDSkEPSsuZX2AtBYVHE8OxpvnyygcFuiMn+9XTHvwpFQB 8eCfKc7Hvk0EJNYsNzoJ5RnogpLZg07QewmRH+Q==
X-Gm-Gg: ASbGncvXMI+YHSwi24MHWsdOXgar3M20w+Gn5Br7Z7tXydXedg2fEgZQvqJSBmxxRDU +liKf6CDuuVCh87/rx1hXiwHsUYAUTfscu6jpSd//RtNvAFcOaeqDPpVArCaDzR67f5HmgjhiVv 80eMZBsCVe2t/0L4awHq1ugzePQghhfcjFoZ3FlQ/A
X-Google-Smtp-Source: AGHT+IGUOLHFV/jX5rEJKQx8Q5PHzj+oXFgMk/r7x0MdnIpwxjKUGwgDmL5iCleI039zByqDqiYK7sDiYZyCKmAT0mM=
X-Received: by 2002:a05:690c:113:b0:6fe:c2b4:f099 with SMTP id 00721157ae682-706b3e9e1bbmr11769467b3.7.1744797089263; Wed, 16 Apr 2025 02:51:29 -0700 (PDT)
MIME-Version: 1.0
References: <582917A1-F936-4A15-AE9D-342076605BE7@sn3rd.com> <F347DA21-EB06-4FBF-B357-871A0FFA8DB1@sn3rd.com> <Z/7lbXqb8QHruMS2@akamai.com> <05bd6aa6-4b41-4bdc-8875-d380924031cf@cs.tcd.ie> <IA1PR17MB6421EBF2FDA5B4395C92D6D3CDBD2@IA1PR17MB6421.namprd17.prod.outlook.com> <73c3de1d-a9ee-43ee-8a71-ac1fe28ca467@cs.tcd.ie> <IA1PR17MB6421FCBACFA92AF01342D2FDCDBD2@IA1PR17MB6421.namprd17.prod.outlook.com> <c19d4aab928747fc3e702bdad7bf22ddf120ff9f.camel@aisec.fraunhofer.de> <CAMjbhoWMz180cGYrOM8S+KUkEP34rxCVtcw59hMW+vZv-FgCqw@mail.gmail.com> <cdd62ba475366ee7cab4397ab377b3fccbcb430a.camel@aisec.fraunhofer.de>
In-Reply-To: <cdd62ba475366ee7cab4397ab377b3fccbcb430a.camel@aisec.fraunhofer.de>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 16 Apr 2025 11:51:18 +0200
X-Gm-Features: ATxdqUGH7voidnQgVRnItaWob8Vx6xpPwOYgg-G7UK90Jjkuu731g03FCFZXd_k
Message-ID: <CAMjbhoXUWYcCcaOyf0O6tQ_CbEdWGP60ATO9p=wrXCm_vh+0_g@mail.gmail.com>
To: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
Content-Type: multipart/alternative; boundary="000000000000b627e90632e23a52"
Message-ID-Hash: QION6VEGJ25YYF6QGOLAMRYGRFLUEGPF
X-Message-ID-Hash: QION6VEGJ25YYF6QGOLAMRYGRFLUEGPF
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>, "rsalz=40akamai.com@dmarc.ietf.org" <rsalz=40akamai.com@dmarc.ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Z84tb6nCcDNYTFdE2JyyF-O-4ZU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Wed, Apr 16, 2025 at 10:38 AM Bellebaum, Thomas < thomas.bellebaum@aisec.fraunhofer.de> wrote: > > This is misleading. There are many implementations of Kyber that > require > > much less memory. See eg [1] from 2019 where Kyber-512 only requires > 2736 > > bytes. > > Thank you. Somehow I missed this, although the use of a reference > implementation seemed suspicious. > > > By the way, for key agreement, between keygen and decapsulation, a > client > > only needs to keep around the private key seed (64 bytes). > > This actually emphasizes the point. > For any ML-KEM capable device, we are still talking about a minimum RAM of > at least two KB (ignoring significant future optimizations). Moreover, much > of that memory is unused outside of ML-KEM operations. > Then: > > 1. The unused memory should suffice to perform X25519, and therefore > 2. Limited RAM is quite unlikely to be the bottleneck when choosing > between ML-KEM and a hybrid. > Agreed. > > -- TBB >
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… John Mattsson
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Thom Wiggers
- [TLS] WG Adoption Call for ML-KEM Post-Quantum Ke… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Russ Housley
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rebecca Guthrie
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaroslav Rosomakho
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sun Shuzhou
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Martin Thomson
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaakov Stein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Kris Kwiatkowski
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Jan Schaumann
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Alicja Kario
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… tirumal reddy
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Yaakov Stein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Joseph Birr-Pixton
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
- [TLS] Boring cryptography, and the opposite extre… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Andrei Popov
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Boring cryptography, and the opposite e… D. J. Bernstein
- [TLS] Re: Boring cryptography, and the opposite e… Bas Westerbaan
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Quynh Dang
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Andrey Jivsov
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Benjamin Kaduk
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
- [TLS] Re: [EXT] Re: Boring cryptography, and the … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Nico Williams
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Andrei Popov
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
- [TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Deirdre Connolly
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Benjamin Kaduk
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Watson Ladd
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Andrey Jivsov
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… S Moonesamy
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… S Moonesamy
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner