IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

John Mattsson <john.mattsson@ericsson.com> Fri, 28 November 2025 07:16 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B7F4091F4065 for <tls@mail2.ietf.org>; Thu, 27 Nov 2025 23:16:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYzkffdw4pyO for <tls@mail2.ietf.org>; Thu, 27 Nov 2025 23:16:26 -0800 (PST)
Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazon11010041.outbound.protection.outlook.com [52.101.69.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D4D4B91F4050 for <tls@ietf.org>; Thu, 27 Nov 2025 23:16:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bv6lo8IND22wJtR8qad/Z85H+8gdR+7UCHZGR8JsIajgqsRHej6Ng//Ey5UKQ8S1KPba8Kz7KblBfX8BMJND/0XjfnTuuDlEsooPiDgFw9DY6PToWhcBQP7qhn4vQe9C6XNhWf4kkKBLwqJaoFmhOi6O8nEiSGnfCbN12JwqHK8YtcQTxesY+Olkhcm1zPgQdXSlCrud9Mnxpj0RbGkGRGR5D6ThN2DVKJwYNS0QvKcfVRgQVDc5brbQp07ytZz87IsHrtZvBBTeIZz+3GV9e9K/+3MBBnOt2ySCFc+J4kupErEiZHfJvKAMYx/oyEfNHIvivPrUvwVryjH5jbSMRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0bGG8onkKHb9TfjUpqt45OUlyF5q72Ja7G+LO0TJ6AU=; b=Cxan1rvdudTKaJR1SHaO6uNWYyZyMgOM/AwLUhj1VMiR/qJlscktYpidgXcSP4qD2mVvLpM02oXjylgvuVOsyX6FY5z2PWRJyUuPkTD63yIjxluiWnmjN5IwaHqArvlavDMgKCvoozQd/LvxnyNAjSF/Au1qEBq8F9KkiA5V2sHA/f0GB3XGv7T2HQHUYXNkc+iDqrhlh4rryT5njAl8QzqTl3Mi1xnZ4HY+hQkUnMOnYulDP1+QuGqnmXHQ4ICE3P9XxEdi50r5Xc2w+x95LjSKcA5mLjOlma9VZGgCsmvBpPvvYnvyFMqROuLycRMLc4ljQtS7iFaO8oTeb8Vn2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0bGG8onkKHb9TfjUpqt45OUlyF5q72Ja7G+LO0TJ6AU=; b=RAKtk5/j7q8RFkttK9CQfQ/TzC5cD2hKjLzRi3YiruMdi6gPgPugDj1HUaJnyuZxD5ffXSMeV01hPntUz6tORjDQreWDI9ZIc/z3RLbxw0ByxPrUGg1xwwMXpkvxU65tjG3bby6TPJACSq3A4Jz7dT75a6qRN0LYhe5zraP4oQir/qc2qbuhXV4Ol5+vQ3wZyjcc6OM6uPeBXXfUhUvBEOWdapUqMvS124CL388k48unA4tPzLV94VWOtqqNSPoTxi4eYDIcQNWgtJYpSglIzZiZ7cV+PCK2ODUEd7QsRJW1sHJiN9KbpGwAzgrjHenC+ViI+bkR2QnG07cXrB3AYg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PA4PR07MB8717.eurprd07.prod.outlook.com (2603:10a6:102:262::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.11; Fri, 28 Nov 2025 07:16:16 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9366.012; Fri, 28 Nov 2025 07:16:16 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Thread-Topic: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
Thread-Index: AQHcYDCeQBPyhE37cE2C33OwvtXsXw==
Date: Fri, 28 Nov 2025 07:16:16 +0000
Message-ID: <GVXPR07MB9678B44C77FACE5495ABD97789DCA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PA4PR07MB8717:EE_
x-ms-office365-filtering-correlation-id: ddbfdea6-8f94-4d23-85dc-08de2e4e0559
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700021|8096899003|13003099007|4053099003;
x-microsoft-antispam-message-info: aGMrbPcqKWXv0DgztE2gdc+FLkH4ykUinTP5HrFaNVp/uJfbtChkvDN7/r27YzPqLEYGBSf2YBVkWm24+c5TrL4t/YnEZ56fK3KLVdNVC95tc0wRoxhgrNcwvnGfdtTJaPOpLr0CKYbl3xS/pE0e6BNy4KJxIyCRj6wLNBipAztTAy1Yb10jNJAnaFVoFYbUOgy+BRQZvHq7kWmwq8AOx0iiJq9ewICXHRyz+lLByv2oW01t09CBzT86SHb0qdv2NpJkIQ5B+f7cF5ZIgI9qY/qNzfFdiPcZaPsJB+8ZuacF8LgYWUyRW+jDVYDA7LQ/GLVGfMJaE03paIi5pQKU/FVjYGM9+LQn1tMoUvF0Qc96BS4ntkFzfLhgP8/uHflkN9D2qJWFCcjgNdBT/iNl6MlBsRcpAlqMxs9dX9Gup0H6IgVe5nJ0hOh62UWN3rzzZBqUhJnuUa/n2t+fZhYcr9s3+0qp4fIF+cdTHsVFPSPg0zfMtXL2zfugOufvczIjY4YBQvb5E3enVhfHD0JnODCF/y7OgKA39qSYN9SQWHx5Ck47XmVvlEFgCvwhzVupH3fk65b+XIiT/XIdGjt8yWuTwk0VahFBl2abc3/+qMRfx+9vTIxUjjOqXLa9yVPoC3a9VwKuuQFDks4YxQRnI4bAeKaJ4aPOfKGI9qxCu3OxH+sHCBwuAlj4cdTOAzta7SWDXO37s0nha+VqWU9TTYW48qaE7Wdb+BhXmrXnupU9+5xZYt+xpoYob4aa66e+zETLETWeig19+YFSnLMx+ktYemNuOjekz7W/Zb8y1H3J6sqG6ew8A6TrKNLfrtrfRn/C6JPE7oNsVwFCDZ3j5pdGVAWa8sYCBn2AZMie/4MSGTeevLZd4o14g7l24xSfcUSptGwS/NGj1o4bfxShUboK6vhcUnnV31Cu0Aznoq5LcCN07nTRJy2NVxIyMh3Mw2BPM7NtvS0ObW51iCAeqVtFS8qzByqe9UISnxSsK2z+LXPBJsYjCeGmqM61Za6cWRs2JF8JVbPwiFGQWwrgIJhaA5nJ3QqLWP8SEzoPWEzfaISNE2QnkW+rb7CGqTsjEgbwcRGtjxUCzLGIkNSekvykU4OUfzhSe52i1LISR1e15B0wBpmKYeocv+/gtxmd1J4kuDUNrcCsbEtkk/TTt/yLpcxplDv06n2Sw1Agp7yd0t7ZlaI+PpvIRFnRVrglKoY9Y9uv0mnDuoSUyiSmP0IL+4IuMmXBr98KE4oqweOJIEr/JskVdPUd33leYscmazQGwk1AEgvKYmz9+P2rsFMtAQVI70TCF67qW/JpweohAEc1WeOaFER7YSlLmFIjRltogeQklVhzDTNO7UtviWPB3AME8EQhD2g2Vj+9w4D/7fAdN5iyQkjjizJ7f2g27z92uMyBbcPUs4DVUGngqg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700021)(8096899003)(13003099007)(4053099003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: as5cyejxD59P/X4Gof8FwdPD8O7EIF4cHi3VHArmvtR092C+238i7mVsZAesEw78H/7gGHgdu3TY6YXfWtmDp6r4gjVxTfErs2DVm0a8Rt2IU2Nsm8KdjclDAAhCo7kWLUvsoMsDSNx1FLokIYPVkE+T639Mtw12IgcbtiaJu7M1bTUjIqQrUduocBev9uiHfnQHEU8Jo2HphmjcIXYfU/crhexG25r5sQPNDl8YvUJOZwLwH6faa1XBP26+Bofik9dClw4MEzdGuYBepxY8UrjRQnWBsiPwGpcRC1nTBDlrOnI7gHW2QQgerkoxKeCs1irr8b7HI8CFimbREUqFG8jch3L49LKji6bgRzhfofvjnXM6OjsMnxe0bgc2F9jn0HrWKNSEY/qjUUpiw6h17PrMvYj3iIvfpoPB1LH6FBZml8ZZAM6An+uRGlnHm81CgF9G5jK1LKKmNE3P/GelB1cuOwHbZcbsDx4NlyA2AWRAYWhSEGrxHBtbzoH8MCO8iZtIzu/fgEDAIsM07Qp14sj1LKg/1eV6b0jnynodTB0+iU+BZM51pQ1VujWETCi+Fl4yHDl7E/8mD6Wq974cKWJDysx6Y+Q5mekQuiEdY6SxTwlwxY2uRC+9ehs/db2UIEoKab2y4Hx7sEfc5GPZ0hXJfjxZBMueSwq95aSQ2Qs1+X3lt9VHRRAdpygFLFmh8Plrk8eHIuR8LiFDZvzunsLAtpLAO6vGez1k/ET2+yIfPN2t11wOTcQzIurm0Zx98B076fSDzUIeSdWQy0cN8pyiila3bIcGuldi6Coii6dsBWnD6yq5TN6XRXzjvyiD1UhTndP6ardaCE6ub2HTbZ7pdsFSpxV3veHu0x9tIP+XGD1sxcSqvILLcgUWeZxoh8Il6hkmGRhNcucmG22wPe81z5FdtOxIBCBDDNdOp/JAxw04JBFVo4DCkPzvvZBT8UM08JrpEy0x7/FpqLhvLz7CRRJzmYjFjAS3YHUG98190Ec+Uz9QOJzNzneCbfHSrH9ZC3yzAj6gTlopRKM4Lal9mnG1GKiXxr4oIBHN87QIIoVSvzpOnxdRFpRr5lpYuCvXRs4cmFT1RYRzJtAf/fV2HLbyusQewZT1yOUG1OOa+BIahyNT9R5/132UkzzbRTpu79h/brrmp2JWHoP1SusOM7BrUfQSy+H9JhMYVMf52QB0aP0QrWojRySsWqA0O/5s4dcJ8VfQxBGO6bp2rPLzF9x5XORI4HLi8rrzmlZ4oy7th8pPxzEZHGrPlGr8H3f+pKSles3dpogJvmfPBIA4GFoqtbrhwlvO3wPVfyvmkPFytvqRBRvHW8KkccrQMCnRFFmBG19w3JDAZNpmnlDJMdW8g6MgCkvWxsurUm/q0b+vXibN2NGKwG4D2HY3U1CJClNp/0Bw3AWWUd6gfIdonekVY+4AMZD9eVn0ruOZlfIDh3DqmJZTtFqmag4cUvRfZfEs4nKt7/9KCoY3nE/knIm43kisrk3iv+wlAX420ebJiYprdI68/Ilq0rV6qSlfayBNGoW5D4gN/PtFtmycIzjMh0Em9AgNdMNRK5oRoZSltjuW59/GHdxrM5OwN+NnuNOYdiJ4qwXILzzKKwl4wooZcalziRCT5nqyeOU=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_51FA0BA4-BF2F-3947-941D-3A702BDB6EFB_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ddbfdea6-8f94-4d23-85dc-08de2e4e0559
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2025 07:16:16.5245 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 07702KqjXS6wVLBHbixTPUpZaNIKHBu+KIBtqMgyiLR9GUbTXfGA+NIt2w3RkIjpifUxUwL9oCtPb7bX1zWx7BgSvr4/2AqalL4h8sUtslc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB8717
Message-ID-Hash: PRCRIVQI7Y47V6CMPNEDLCI4SUMURKKW
X-Message-ID-Hash: PRCRIVQI7Y47V6CMPNEDLCI4SUMURKKW
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bly_SPPJepdU4Ze5hVP0Ts8YQ4g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Stephen,


>Do you know if anyone's written up a description of that?


Yes, Meta has a good article on the topic


https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/ <a6ef545e-941a-4fbd-943b-1060d0942a56>


There has also been quite a lot written about middleboxes, load-balancers, and other software that assume the ClientHello always fits in a single packet. See e.g., 


https://blog.cloudflare.com/pq-2025/
https://www.ietf.org/archive/id/draft-reddy-uta-pqc-app-07.html <4432e17e-38b5-412a-af3b-891f621da89f>


Just looking at the key share sizes, it is quite easy to see that you can use ML-KEM-512 (800 bytes) and would have been able to fit X25519MLKEM512 (832 bytes) and still fit ClientHello in a single packet. It is also quite easy to see that it for many PMTUs it is problematic to fit ML-KEM-768 (1184 bytes) and X25519MLKEM768 (1216 bytes) in a single packet.


https://datatracker.ietf.org/doc/draft-ietf-iotops-security-protocol-comparison/ <color: rgb(0, 0, 0); text-decoration: none;>
https://tls13.xargs.org/#client-hello
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf <color: rgb(0, 0, 0); text-decoration: none;>


While it did argue for X25519MLKEM512 (and X448MLKEM1024) I did not understand at the time that I would have wanted X25519MLKEM512 for middlebox traversal. Then I would have argued harder for X25519MLKEM512.


The current situation is that OpenSSL 3.5 LTS has shipped with X25519MLKEM768, ML-KEM-512, ML-KEM-768, and ML-KEM-1024 and even if TLS WG standardise X25519MLKEM512 now, it will take several more years until it would be added to a OpenSSL LTS, which a lot of infrastructure is based on. That would make it hard to meet 2030 deadlines for PQC migration but would meet 2035 deadlines. I can live with ML-KEM-512 for middle box traversal, but if TLS WG does not publish ML-KEM-512, I would suggest that X25519MLKEM512 is added to draft-ietf-tls-ecdhe-mlkem.


(Regarding misbehaving servers, if they don’t handle fragmented ClientHello they likely don’t support ML-KEM anyway and you need to retry with standalone X25519. Middleboxes and load-balancers is the big problem)


Cheers,
John


On 2025-11-27, 20:43, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote:



Hi John,


On 27/11/2025 16:02, John Mattsson wrote:
> - ML-KEM-512 is the only adopted quantum-resistant algorithm that
> can be used to bypass legacy middle boxes.


Do you know if anyone's written up a description of that?


Thanks,
S.

v2.37.1 | Report a Bug | By Email | System Status