IETF Logo Mail Archive

[TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 08 June 2026 08:28 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 987E2FD364C2 for <tls@mail2.ietf.org>; Mon, 8 Jun 2026 01:28:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780907285; bh=8QMNFnq0Aw+Xc84cBM1Km41UexoxhnkU5ikmpHtk6uE=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To; b=GE+6In3X26XXJ4lGecpoGOujf0YceYf+omOwVkfPSOVsYTYjmDyIiEvkjgVbJv8Oj 6KZJzzjyCX7TXtZuFKaWojIz+QN+qKmeyhHsWar/cQoHpm83i+E4Nzrv0/XDc7FShL vUaaq69zn3S3XPJFC4f2dhOA8Wzy4bsetARmjRIs=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCQ6UOxsKBta for <tls@mail2.ietf.org>; Mon, 8 Jun 2026 01:28:05 -0700 (PDT)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 69665FD3640D for <tls@ietf.org>; Mon, 8 Jun 2026 01:28:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1780907273; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : content-transfer-encoding : from; bh=8QMNFnq0Aw+Xc84cBM1Km41UexoxhnkU5ikmpHtk6uE=; b=spFjKt9Knx+F3Naa1IVNM5Bdq0ZeL/xJ2YC45tqzH4tN9CnmgNCcRxBIPA6ZXwkOPUKeD 9xjlOv+6+lDbHdz6OpITHIWrdgmKbjFit2xEb0o2mDR9dpj1b8jCKfx8Ig7o/M5AStL58pw xsuviUL1B57U0JnapXwgRV7c8c6Cbbs=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 99A4193559C; Mon, 08 Jun 2026 18:27:53 +1000 (AEST)
Date: Mon, 08 Jun 2026 18:27:53 +1000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <aiZ9Cfj6i3YBlzvC@chardros.imrryr.org>
References: <cec4e220-0842-486d-9c69-ddaf37260da4@tu-dresden.de> <MN2PR17MB40310B7FDC1875D16334B680CD102@MN2PR17MB4031.namprd17.prod.outlook.com> <154E6BD1-8F60-4E84-930D-751A812840C8@joseon.com> <CAGgd1OeM=b+g-SCtbQuV9OprSDFHRPk=xcnzqRY0Jd7JQsxeng@mail.gmail.com> <8BF77F56-3E92-490A-A15B-ECA803E745D4@joseon.com> <CAOvwWh3JY6u_vBMtwMOZ96UyM1-uYwuy+9m9xEUXwt+QDK0bbA@mail.gmail.com> <SYBPR01MB6336522468BC74BDCB5C99FCEE1C2@SYBPR01MB6336.ausprd01.prod.outlook.com> <CACSbMKkOw=aHWp3b=gnyd1DBMs4Vd3p11cF_EjCuqkaxvUQStA@mail.gmail.com> <AS4PR07MB88256CB335FB9CC86009170A891C2@AS4PR07MB8825.eurprd07.prod.outlook.com> <874ijdv63m.fsf@josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <874ijdv63m.fsf@josefsson.org>
Mail-Followup-To: <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: FR4KPWVW4U4QJTWZDEK6NJY2QPKY3CIG
X-Message-ID-Hash: FR4KPWVW4U4QJTWZDEK6NJY2QPKY3CIG
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nZmWz8e3a4qfE2UDPf96iNHAmQk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Jun 08, 2026 at 09:33:49AM +0200, Simon Josefsson wrote:

> The above argument is often repeated, but I think there are naunces that
> get lost when phrased like that.  Security is rarely binary either or,
> but more of a spectrum.  All ECDSA keys in the world won't automatically
> be revealed on the first day a CRQC is demonstrated.  People still run
> RSA 1024 deployments (e.g., DNSSEC)

In DNSSEC, ECDSA P-256 exceeds the deployment of RSA, and with RSA
domains, the KSKs are most commonly 2048 bits, with RSA-1024 KSKs on
only ~0.2% of signed domains.  Yes, migration to PQC will take time.

Today's numbers:

 - Algorithm frequencies:
    https://stats.dnssec-tools.org/#/?dnssec_param_tab=0

        KSK Alg                Domain count
        13 (ECDSA P-256)    |  14891802
        8  (RSA SHA2-256)   |  10202696
        15 (Ed25519)        |  576447
        10 (RSA SHA2-512)   |  179838
        14 (ECDSA P-384)    |  166224
        7  (RSA SHA1 NSEC3) |  73316
        5  (RSA SHA1)       |  11194

 - RSA KSK bit count frequencies:
    https://stats.dnssec-tools.org/#/?dnssec_param_tab=2

        Bits     Domain Count
        2048  |  10008497
        4096  |  405294
        1024  |  24925
        1280  |  17001
        1536  |  5251
        3072  |  2138
        512   |  388
        2024  |  148
        2560  |  139

For ZSKs (that are much easier to rotate, if the operator bothers)
RSA-1024 is dominant at ~90%.

 - RSA ZSK bit count frequencies:
    https://stats.dnssec-tools.org/#/?dnssec_param_tab=3

        Bits     Domain Count
        1024  |  9039068
        2048  |  1066378
        4096  |  72116
        1280  |  8079
        3072  |  2753
        512   |  433
        1032  |  277
        1536  |  271
        2304  |  137

-- 
    Viktor.  đŸ‡ºđŸ‡¦ Đ¡Đ»Đ°Đ²Đ° Đ£ĐºÑ€Đ°Ñ—Đ½Ñ–!

v2.46.0 | Report a Bug | By Email | System Status