IETF Logo Mail Archive

[TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3

Nathanael Ritz <nathanritz@gmail.com> Sat, 06 June 2026 23:51 UTC

Return-Path: <nathanritz@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 99B4DFC8CD89 for <tls@mail2.ietf.org>; Sat, 6 Jun 2026 16:51:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780789909; bh=JRmUtvp84KP7fB6mwYXIiEZ+8Wfsf0g19dCmzB44wrI=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=EoU3Z6EpZsN3OYl81GwGSa8uDubrii+DUNp8oNt/jUMpKFr/LkkWLkFWuSwyfgFre yemR1b9bs8PKUJYodWKMhcG9sIp2OP1PMXj2UkKSoMD4vOtx3JDeaKixYa0QvFthTK /id+7YgKE+Yso+ZrI2WZ8DkWWDETbqADUQ63TVhE=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eAPyPqi40vky for <tls@mail2.ietf.org>; Sat, 6 Jun 2026 16:51:49 -0700 (PDT)
Received: from mail-dl1-x122f.google.com (mail-dl1-x122f.google.com [IPv6:2607:f8b0:4864:20::122f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3EE40FC8CD04 for <tls@ietf.org>; Sat, 6 Jun 2026 16:51:25 -0700 (PDT)
Received: by mail-dl1-x122f.google.com with SMTP id a92af1059eb24-13721dfd471so4133204c88.1 for <tls@ietf.org>; Sat, 06 Jun 2026 16:51:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780789884; cv=none; d=google.com; s=arc-20240605; b=jYnFK2cqFkev95UZp82r+pIoRnoK9mRp4gGCwpBVF6T7ny5VRtZnEm6X5bFywLF0// VUmHW58wXH7rMoldWHRbeLZhZovhOL9NcIBVPHfA8cu18+2VhxnyJqBuIVsX9fzILJHW mNGd+nuGp0Ix3SxXwO7ZtvKpZ0gXimVjaExFB6yVpgX57R/1etlffq0+K8tuyY5G+xVf 18Ohcf43DjiLp8el/hj/5KU4qLnccl3P7JYvbdrNl/YCz6ipvhtnBJV3Wiv3vkopKNZ+ dJXckuhFdTt8t9DyeoVsY8fG0Fu0HrWKgcN/KddwGaD/iEDmjCT/CkZEYUB8tXRGyKSn a+uQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=uS9kGh0Fzg/Jhd6N8uuzYZm53ao2SSftSk8gJMfbb4g=; fh=Bu94C/oc140Whr2o5Ja3aXdOvtfH2HSgb+cR4+LYpyM=; b=B5NpE2+x72Unk/z9Xzakmk810fQzYDYp8g5H1T1mTTikvSXP7qhxK41EvsrFeobVkI EW2J6YV59wxFVBI2msBWza9NTATZQkM7TbPL5qfy41ofchOsGSJSvjveJNcs3U0EuDYJ WV/WVtu+ikKiHN81a1a+Yd/RKQ8s9o9x2rwhcxE3M2xxDIfNWEIoaWBuIOjz1NObUjyu /PtDrdOb+HGz7beCfNKsozym56y4+Vt5z6Mxi3j335eP/vs+0gn/22VFjtsI+B0mQPmK suEb6sexttWm1R/SgbgoOH8X1mh6SAjxUsARpQuGoym/5Zu1a1y+E/f8AfNEVeOuz3b4 Syyw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780789884; x=1781394684; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uS9kGh0Fzg/Jhd6N8uuzYZm53ao2SSftSk8gJMfbb4g=; b=TmZNzSst6hn4jwrQoPI6tP8IZk7LD4fulnAEesa2Re4Z6iz2Sg+BhJ92XLrMse9UEE BSoG3W3FqURfDccpBx2bV0COU0xzpyE2xurlO51YD+v29nid0d6GCnYNUO6EcGqYnba7 aZDqLOiWj4WjRgHi2b2LglcvEeLWFWcRR2p/3JPLZ9Ts6W3+ZOSEWDbJd//kGRTOs5n0 GncDFTUZcdnrnubteAHMcVqF7KLBrSZz/uTGZdyfdESgIYSCphI+I4MrTviLU3buLFx7 WLEr3xv/3fuGG+a8iegFgq90mSJZ4yzINUs1cgl6hrAlqNWnoSEBL786QLBGu3KnlVYq hlDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780789884; x=1781394684; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=uS9kGh0Fzg/Jhd6N8uuzYZm53ao2SSftSk8gJMfbb4g=; b=VgP02Ss+CTnPo8gDQea2sSX2XW+o4k9xNj2R7xt4YHElR6R0e6pqlrTur9chCgAGqk JffQRWbqm5VDtb3mPdn9Zj/2XAebfhr445nNsjOVraeGJvAuE+ejvFE9cUT7isyoGGck TqSLC2JmLNPfFf+tc2w8HnbAYZdBhdejyM59fbnUUVR1nkAQ1xbjOJb/4nrtBqXTf+5m JdSEwUD3OQHUuvpMFa1TqfXEWra/F33CbHnxC44q173DBXttgaJQm6Ua/lJbCvGO9UUG Zgl12jUI8NX4CRV+wr99yJTeSknR+/REaJoQ9vgSrKr1WtCtYcRBHHexpSTftguyWZYE 0N2g==
X-Forwarded-Encrypted: i=1; AFNElJ//DCk80J0R8AARYLxpC6HwbE6qpGG58xXu55STACkOpkaGihKqojFv6RwUppjbiumBvb4=@ietf.org
X-Gm-Message-State: AOJu0Yw2D3sOZH2X1xusUmiGNDfHLUf6cJhcdDOtVuVwYOBecF9CXspe v5LOvgt+c3ncdtQyXQdSuTionYO6KhiVigLNdqo8PbLGgOJolWwb82J09JJhounkD8TnBb6cc7u qu17h1/fGRw2XP3J8F+Oj6iAmi5qHuFX54ocS
X-Gm-Gg: Acq92OGQXSwB0DTwL4BJ/lR1Mdj4cgFH7j8xvqnR7A1aokvPj7n/ojB3tK7cKrJEDhL RdOKIRSMIaUFK0xs1JY0pI5els7g8mE+NhztxUjl8buUfwIPvkUtxR3FANOW4gdy0Mxk3jI8yT7 d+MeMGWIqX2mLGv7VBPqWT4JnOQaTEC2IpGREyf1NyqKwHiVQwYwVxhW1I//XiwEmWWfg1vP+ci axwhpdS61SZZEAnZ0eCDzWAgiqVeMLDbOC7g1e+XoFpT6auxT3t10dOHAH7MkHgvurUaB4BL2jV PiT/rQ0vmc8llogZLX0/P948LaHBbFEKutyExIldz+b556ELqQpE
X-Received: by 2002:a05:7022:f411:b0:138:6c:477f with SMTP id a92af1059eb24-1380671484emr4804934c88.34.1780789884069; Sat, 06 Jun 2026 16:51:24 -0700 (PDT)
MIME-Version: 1.0
References: <AS4PR07MB8825B096CCE8A2E16A213658891E2@AS4PR07MB8825.eurprd07.prod.outlook.com> <657a486e-71db-4582-9424-78d705ab2c80@tu-dresden.de> <C256D479-684A-49FF-9A5E-7353A80ADCCF@symbolic.software> <CABcZeBPQbw=WnTVm5P7KnsVPNLG=uR0Y7f8FOYYm+K6nOMCBQQ@mail.gmail.com>
In-Reply-To: <CABcZeBPQbw=WnTVm5P7KnsVPNLG=uR0Y7f8FOYYm+K6nOMCBQQ@mail.gmail.com>
From: Nathanael Ritz <nathanritz@gmail.com>
Date: Sat, 06 Jun 2026 17:51:10 -0600
X-Gm-Features: AVVi8Cd876GkzA4R_zKYiIQIEgy7vhZslkDs1LeOAJzrAcqsWwRTaNMed1zZ9Hg
Message-ID: <CAHxYnaOep1e_ovP8_yykiaPoiGOmxc9HbnLmkVveNa3HWhEk6w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="00000000000075a9c006539e74b1"
Message-ID-Hash: Z7B5MZREYLI5ENTOKR6XPRMFB53UK7FE
X-Message-ID-Hash: Z7B5MZREYLI5ENTOKR6XPRMFB53UK7FE
X-MailFrom: nathanritz@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Nadim Kobeissi <nadim@symbolic.software>, "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kYAM4T7y-NNmqN123zXgte3B3go>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Sat, Jun 6, 2026 at 4:36 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Sat, Jun 6, 2026 at 7:44 AM Nadim Kobeissi <nadim@symbolic.software>
> wrote:
>
>> Hi Usama,
>>
>> Thanks, I wholly agree with your message.
>>
>> Nadim, perhaps you could propose a PR [2] summarizing your analysis in
>> something like one paragraph?
>>
>> Done:  https://github.com/tlswg/draft-ietf-tls-mlkem/pull/20
>>
>
> Unless I misunderstand what Nadim says his analysis has shown, it mostly
> confirms the intuitive analysis that hybrids are secure in the case of
> failure of either individual component. I think the previous text captures
> this effectively in terms of failure of the PQ component and wouldn't
> oppose changing the text state that it applied to failure of the
> traditional component as well, but I think this text implies a much
> stronger conclusion than is supported by the analysis.
>
> I wouldn't oppose a factual statement, such as "Machine-checked symbolic
> analysis [REF] confirms that PQ/T key establishment is secure [potentially
> this could be made more precise] even if either of the components is
> compromised."
> -Ekr
>

The formal analysis establishes that hybrid is strictly more robust than
standalone. The decision about what type of primitive to fit into their
respective “slots” seems like a more open question.

To also support John Mattsson’s point regarding the anticipated security
collapse of traditional DHE to CRQCs, while acknowledging the risks of the
unknown regarding ML-KEM’s longer term resilience, perhaps the text could
be word-smithed this way?

“Machine-checked symbolic analysis [REF] supports preferring hybrid
deployment over standalone key establishment, confirming that hybrid key
establishment remains secure under compromise of either individual
component.”

Cheers,

Nathanael

v2.46.0 | Report a Bug | By Email | System Status