IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

"D. J. Bernstein" <djb@cr.yp.to> Wed, 26 November 2025 20:39 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 735A79155200 for <tls@mail2.ietf.org>; Wed, 26 Nov 2025 12:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1N6u6Vg_cpZ9 for <tls@mail2.ietf.org>; Wed, 26 Nov 2025 12:39:17 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 1383E91551F0 for <tls@ietf.org>; Wed, 26 Nov 2025 12:39:17 -0800 (PST)
Received: (qmail 3820095 invoked by uid 1010); 26 Nov 2025 20:39:16 -0000
Received: from unknown (unknown) by unknown with QMTP; 26 Nov 2025 20:39:16 -0000
Received: (qmail 367663 invoked by uid 1000); 26 Nov 2025 20:39:06 -0000
Date: Wed, 26 Nov 2025 20:39:06 -0000
Message-ID: <20251126203906.367661.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Mail-Followup-To: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
In-Reply-To: <aSdWDFHAW2GxiiCa@akamai.com>
Message-ID-Hash: HCKAF6CAHYAYWIFRDWJVVABUBUC2RRR5
X-Message-ID-Hash: HCKAF6CAHYAYWIFRDWJVVABUBUC2RRR5
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tqr5Mz0t8aqWLq9d2diZSQ70eAA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Benjamin Kaduk writes:
> Can you repeat your analysis for a scenario involving a 16-bit CPU
> operating at a 100 MHz clock speed and with a 5 kBps network
> connection?

Is this 5000 bytes/second send plus simultaneously 5000 bytes/second
receive? Or 5000 bytes/second shared by send and receive?

For, e.g., ML-KEM-768, can the 1184 bytes (0.2368 seconds) one way be
overlapped with the 1088 bytes (0.2176 seconds) the other way, or do
they have to occupy 2272 bytes out of 5000 (0.4544 seconds)?

Either way, this communication for ML-KEM-768 is clearly slower than
X25519 in the scenario you're describing, since a 16-bit MSP430X takes
just 8 million cycles (https://eprint.iacr.org/2015/343) for DH, and
thus just 16 million cycles for keygen+DH (with a trivial reuse of DH
for keygen rather than putting more work into speeding up keygen), i.e.,
0.16 seconds at 100 MHz. The 32+32 bytes of traffic add at most 0.0128
seconds.

Figuring out the total costs of X25519 + ML-KEM-768 would be more work.
My experience with small devices is that computation can be overlapped
with communication, but of course one has to work out how much can be
parallelized inside the protocol, and how many cycles ML-KEM-768 needs
on this platform. From a throughput perspective (doing many key
exchanges), presumably the bottleneck would be communication, meaning
that ML-KEM-768 is 3% faster than X25519 + ML-KEM-768.

> Other IETF protocols attempting to support devices constrained on that
> scale have jumped through hoops

Sure, but there's a difference between the following processes: (1)
looking at platform details and trying to engineer something that fits
into the platform; (2) pointing vaguely in the direction of unspecified
embedded devices as a talisman to support a proposal for reducing cost,
without regard to whether the cost difference actually matters or
whether the devices can even run TLS in the first place.

---D. J. Bernstein


===== NOTICES =====

This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)

v2.37.1 | Report a Bug | By Email | System Status