IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Benjamin Kaduk <bkaduk@akamai.com> Wed, 26 November 2025 00:03 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7B12490A07C9; Tue, 25 Nov 2025 16:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EeaC4gxjgd9L; Tue, 25 Nov 2025 16:03:57 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 41DE990A07A5; Tue, 25 Nov 2025 16:03:57 -0800 (PST)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5APHlC1U3973634; Wed, 26 Nov 2025 00:03:50 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=jan2016.eng; bh=ArXgNn6D2Vrv40cKdfT7JH/tzmAiZNOihC/ptZs6AAc=; b=Mti0XDZ7sb2h Bq1B0Ks3DnOWTr+zcuvaR+tIqsrEzeRmzz52vhzI6z0h0JrbX5j0PJZrOZzSfEcz v27D85ceFW+G2YKxbbUQKOf25brzu4fZdSwUVEFkVqK/cGw4F66bJGkbnXfPW+s4 8uTAj9OiPhL8N7OMGMpYrgtOhnDK1TDHlGvLMpk7kxQNZnT0hZt0gEMjr2hKJbRo SxHq9styRLLEoRrjqvcDhsU+Zkp1qCwhMXISgb6PVeukjfb3AtYw3oyr38BbxLds PpKx0E2DhFXybh+u1vVg+lFvzxmOwoWQSGuv3aqe5Xgo1xWuQDYcE2u2Yzzgg4mJ mECDWTUNCQ==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60]) by mx0a-00190b01.pphosted.com (PPS) with ESMTPS id 4ance8s9c7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 26 Nov 2025 00:03:49 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.18.1.2/8.18.1.2) with ESMTP id 5APLfHSV019050; Tue, 25 Nov 2025 16:03:48 -0800
Received: from email.msg.corp.akamai.com ([172.27.91.41]) by prod-mail-ppoint5.akamai.com (PPS) with ESMTPS id 4akc1eep6a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Nov 2025 16:03:48 -0800
Received: from usma1ex-dag5mb1.msg.corp.akamai.com (172.27.91.40) by usma1ex-dag5mb2.msg.corp.akamai.com (172.27.91.41) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Tue, 25 Nov 2025 16:03:48 -0800
Received: from akamai.com (172.27.118.139) by usma1ex-dag5mb1.msg.corp.akamai.com (172.27.91.40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29 via Frontend Transport; Tue, 25 Nov 2025 16:03:47 -0800
Date: Tue, 25 Nov 2025 16:03:45 -0800
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Sean Turner <sean@sn3rd.com>
Message-ID: <aSZD4XJlfAth9POR@akamai.com>
References: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5>
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-25_02,2025-11-25_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 mlxscore=0 spamscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2510240000 definitions=main-2511250200
X-Authority-Analysis: v=2.4 cv=PafyRyhd c=1 sm=1 tr=0 ts=692643e5 cx=c_pps a=NpDlK6FjLPvvy7XAFEyJFw==:117 a=NpDlK6FjLPvvy7XAFEyJFw==:17 a=8nJEP1OIZ-IA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=NEAV23lmAAAA:8 a=EEW8EKxq8L-uJAf5Q3IA:9 a=3ZKOabzyN94A:10 a=wPNLvfGTeEIA:10
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI1MDIwMCBTYWx0ZWRfX0mYHNFzrzsrw nVHG0rQmQWT2KhUiDkL48tC9yC0rac7Fn5gIy7M3LMQvMQnuuSlmfvZhVWpfu88QLTdrGm7Jvpi tOwNUlrURuDaJicsJLhvhRJRPsE6qiD38kS35baS7s+JdKnGxvHJMDcafxbOxv0Mr/Jt9fkxlT4 bBhR56x6Llwg8eNJ8aEA9duQCrM3NjQoiV6d7vEFr1mU4AAFMArBNUweQbfY/Ebyx4nLN4H1ttO uEfoXtkMpks9K/rygFeK+Hs0/0Cqf6qAz+CL4pKtd3a5qJI+JlJa4bIiUDnlPseewG8wgH/dkH9 IupNPwC4+AlHqMtNQ6hr7OlY12PwpM7fPFv4MxhCg/FTUyw7m8LVBLF9hUQsZFbgTH725tS6T/Q jHmM65i+P0FCGxmlslyPnJA2ZWQJtQ==
X-Proofpoint-GUID: _-oMx-krq91LF86LhZL4w6q3sRrVFG2A
X-Proofpoint-ORIG-GUID: _-oMx-krq91LF86LhZL4w6q3sRrVFG2A
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-25_02,2025-11-25_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 impostorscore=0 spamscore=0 bulkscore=0 suspectscore=0 phishscore=0 clxscore=1011 malwarescore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511250200
Message-ID-Hash: BFW6NHHX7UDYEEI6HXXK4ARZQBSFXMIL
X-Message-ID-Hash: BFW6NHHX7UDYEEI6HXXK4ARZQBSFXMIL
X-MailFrom: bkaduk@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jKyjctDtgAo_tvbpC5Z2-nyW75I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

# Ben Kaduk's review of draft-ietf-tls-mlkem-05
CC @kaduk

I do not support publication of this document at this time; see the "discuss" points for specific items that IMO should be blocking.  (I'm not an AD anymore, of course, so they aren't actually blocking just because I think they should be, but this is a handy review template...)

## Discuss

### KeyShare semantics

In §4.2 when we write

> The KeyShareClientHello includes a list of KeyShareEntry structs that represent the key establishment algorithms the client supports. For each parameter of ML-KEM the client supports, the corresponding KeyShareEntry consists of a NamedGroup that indicates the appropriate parameter, and a key_exchange value that is the pk output of the KeyGen algorithm.

that misrepresents the semantics of the "key_share" extension (and I assume we are not attempting to redefine core TLS 1.3 semantics).  "key_share" contains cryptographic parameters but makes no indication about algorithms that the client (or server) supports -- that role is fulfiled by "supported_groups".

(It's also a bit strange to have prose describing what KeyShareClientHello contains without corresponding prose about the KeyShareServerHello, but since we're not actually redefining what TLS 1.3 says I guess we don't need to.  But by that measure we don't need to have prose about KeyShareClientHello, either.)

### Security considerations of non-hybrid

draft-ietf-tls-hybrid-design has passed WGLC and IETF LC and is in the RFC-Editor queue.  While it does indicate that "Ideally, one would not use hybrid key exchange: one would have confidence in a single algorithm and parameterization that will stand the test of time", it also states clearly that "Many (though not all) post-quantum algorithms currently under consideration are relatively new; they have not been subject to the same depth of study as RSA and finite-field or elliptic curve Diffie-Hellman, and thus the security community does not necessarily have as much confidence in their fundamental security, or the concrete security level of specific parameterizations."

If we believe that this description does not apply to ML-KEM or the situation has changed since draft-ietf-tls-hybrid-design was approved, we need to say so.  But, on the other hand, if we believe that this description remains accurate, we need to acknowledge those concerns in this document.  draft-ietf-tls-hybrid-design has set the context for the use of PQC in TLS and we need to say how this document fits into that context.  I would mostly expect such discussion to include some kind of criteria for assessing whether a given use case would or would not benefit from using pure ML-KEM over a hybrid (and any tradeoffs involved in making that decision), too.

## Comments

### Presumption of migrating beyond hybrids

In §1.1 we note that "Having a purely post-quantum (not hybrid) key establishment option for TLS 1.3 is necessary for migrating beyond hybrids and for users that want or need post-quantum security without hybrids" which is true if we presuppose that there is a need to migrate beyond hybrids and user desire to achieve post-quantum security without hybrids, but does not really justify those presuppositions.  I think we should try to avoid value judgements (which may be hard to achieve consensus on), and thus that we should rather say something like "This document defines key-establishment options for TLS 1.3 that use solely post-quantum algorithms, without a hybrid construction that also includes a traditional cryptographic algorithm".

### definitions

I think it's worth noting the specific terms that we use from FIPS203, e.g., "key seed" (though FIPS 203 seems to just use a bare "seed") or otherwise aligning our terminology more closely with FIPS 203.

### encapsulation key check

In §4.2 we say the server MUST perform the check from §7.2 of FIPS203, which presumably is intended to disallow the option in FIPS203 of "assurance that these checks have been performed can be acquired through other means".  If that's the intent, I think we should say so explicitly, e.g., "the server MUST NOT rely on 'assurance that these checks have been performed' that is acquired through other means".

### contributory behavior

KEMs diverge in general from traditional key-agreement mechanisms with respect to the so-called "contributory behavior", which IIUC corresponds to the LEAK-BIND-K-PK property in [CDM23].  Again if I am reading [CDM23] correctly, ML-KEM itself does provide this property, and then the TLS 1.3 protocol structure *also* (with transcript hash and both endpoints providing randomness) achieves contributory behavior, so in practice we seem to be safe.  But the discussion in §5.2 is pretty hard to follow (in particular, the grammar and binding of pronouns doesn't seem to line up) and seems to talk only about the TLS 1.3 handshake properties, ignoring the properties of ML-KEM itself.  I think this discussion needs to be fleshed out further to cover what we get from the TLS handshake/key schedule, what we get from ML-KEM, and how they are related.

### Main security property for KEMs

Do we want to cite a reference for a claim that "The main security property for KEMs is indistinguishability under adaptive chosen ciphertext attack"?  (I happen to agree, but this is not really something that the TLS WG should be trying to speak authoritatively on.)

### IND-CCA vs IND-CCA2

In this document we state that ML-KEM achieves IND-CCA, but draft-ietf-tls-hybrid-design requires that the KEMs used are "designed to be secure in the event that the public key is reused, such as achieving IND-CCA2 security or ..." (while separately noting that ML-KEM has such security properties).  I recognize that the distinction between IND-CCA and IND-CCA1 and IND-CCA2 is not always worth making, but it also seems like we should try to be consistent across our own related documents.  Can we get away with just talking about IND-CCA2 here, or are there other considerations such that we should keep the IND-CCA term and add text to bridge the gap between documents?

## Nits

### Forward Secrecy

In RFC 8446 we opted to use just "forward secrecy" rather than "perfect forward secrety", and I think we should continue that practice here.

# Notes

This review is formatted in the "IETF Comments" Markdown format, see https://github.com/mnot/ietf-comments .

v2.37.1 | Report a Bug | By Email | System Status