[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Watson Ladd <watsonbladd@gmail.com> Tue, 07 October 2025 18:43 UTC

MIME-Version: 1.0
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com> <CAMjbhoVcxTfppSrkC27F8uf9hKvqTDBsG_-dzGtWbjia5YhmXw@mail.gmail.com> <aOVWcf9JFllri-vG@netmeister.org> <87h5wapnqf.fsf@josefsson.org>
In-Reply-To: <87h5wapnqf.fsf@josefsson.org>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 07 Oct 2025 11:34:52 -0700
Message-ID: <CACsn0cmfNvqjD4QVUa_EKexCFqix83_NWYsMu=Hru4U6T5DGgg@mail.gmail.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: TZG63LOB67UMY4SP6RREPKZ4TVHATHTD
CC: tls@ietf.org
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/q5SL5_rtnGeiEwWGGmxthw5H8Qk>

I haven't seen anyone say they don't want to see a Y by
X25519MLKEM768. Since this is the widespread and adopted solution
right now, we should do everything we can to encourage use, and punt
on the harder question of what other hybrids to recommend.

On Tue, Oct 7, 2025 at 11:32 AM Simon Josefsson
<simon=40josefsson.org@dmarc.ietf.org> wrote:
>
> The discussion below suggests to me that X25519MLKEM768 is the running
> code de-facto algorithm that ought to be on the Standards Track and
> Recommended=Y and the other variants should be split off to a separate
> Informational document with Recommended=N for niche usage.
>
> I believe generally that we need multiple PQ-safe hybrids as Standards
> Track and MUST/Recommended algorithms for all our Internet security
> protocols like TLS, SSH, etc, so I would encourage deployment of
> additional PQ-safe hybrids for TLS.  Settling with X25519MLKEM768 only
> is not the final solution.
>
> Mitigating algorithm profileration is a consideration, but security
> heding is more important.  It would be nice to get X25519 combined with
> FrodoKEM, Classic McEliece, SNTRU, and more deployed for TLS too, so we
> have options.  I believe it makes more sense to add some other PQ KEM as
> a StandardsTrack/MUST/Recommended than to have SecP256MLKEM768 there.
> In fact, I would go further and say that we should progress two at the
> same time, to not get into a single point of failure situation.
>
> /Simon
>
> Jan Schaumann <jschauma=40netmeister.org@dmarc.ietf.org> writes:
>
> > Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> wrote:
> >> This is the breakdown of client support Cloudflare sees (relative to any PQ
> >> support) in the last 24 hours by handshakes:
> >>
> >> 94% X25519MLKEM768
> >> 8.1% X25519Kyber768
> >> 0.038% MLKEM768
> >> 0.014% CECPQ2
> >> 0.012% MLKEM1024
> >> 0.002% SecP384MLKEM1024
> >> 0.002% SecP256MLKEM768
> >> 0.00005% MLKEM512
> >> 0.0000003% SecP256Kyber768
> >
> > [...]
> >
> >> I can see an argument for Recommended=Y for both X25519MLKEM768 and
> >> SecP384MLKEM1024, but I do not see any value in recommending both
> >> X25519MLKEM768 and SecP256MLKEM768.
> >
> > On the flip side, and as just some data points here, I
> > recently did a check[1] of which sites/providers offer
> > PQC, and what key groups they support.  Not
> > surprisingly, it's almost all (and _only_)
> > X25519MLKEM768.
> >
> > Amazon Cloudfront (as pretty much the only large
> > service provider) offers SecP256r1MLKEM768.
> >
> > This is not surprising: AFAICT, the browsers only
> > support X25519MLKEM768.  If no servers offer anything
> > else, then browsers have no incentive to implement
> > other key groups; if no browsers offer other
> > keygroups, then servers have no incentive to offer
> > them.
> >
> > -Jan
> >
> > [1] https://www.netmeister.org/blog/pqc-use-2025-09.html
> >
> > _______________________________________________
> > TLS mailing list -- tls@ietf.org
> > To unsubscribe send an email to tls-leave@ietf.org
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org



-- 
Astra mortemque praestare gradatim

[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… David Adrian
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
[TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
[TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: [External] Re: Working Group Last Call … John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
[TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
[TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey