IETF Logo Mail Archive

[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 10 October 2025 20:36 UTC

Return-Path: <prvs=4378e19ae6=uri@ll.mit.edu>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 86E4170F9EC2 for <tls@mail2.ietf.org>; Fri, 10 Oct 2025 13:36:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -3.296
X-Spam-Level:
X-Spam-Status: No, score=-3.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ll.mit.edu
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lyqv4AU0mkS3 for <tls@mail2.ietf.org>; Fri, 10 Oct 2025 13:36:56 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) by mail2.ietf.org (Postfix) with ESMTP id 2BB3F70F9EB8 for <tls@ietf.org>; Fri, 10 Oct 2025 13:36:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ll.mit.edu; h=cc : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=dkim1; bh=HKtdi+UJFFM93VIWNfH/uaX7MLb63jUNYa3a4QE3R2E=; b=hyuCEvYXFcYEgCg7GvszJSXPMkFKQxkXT7QJ2pDt8xYdjnFqaTesgq5zZqQGJeqrhn1g q5LuzG0xydmI1sTc1Cj4BJQsyS3oixWnBv63gsEatrYhlNX8E3YCCysELWKVQn8KB20e 4tS81HxZO1yX76T2JO6PuZuN34ZaJPcMxdjbEAbiEzD2zrGWs9Rbo/DMU6v2myiEizto RY4ORgRtOkzRQ/4F2rFtXwQguqyTRLb1bmx7YCxWwlEvEoWFJUuW7+kfe70J08u+hqsk 4vKtQKcwKw2B5elgij5G/E/gkY4Jnk22g93IjdAZLPXSPXr9fMDBb3PlI5egM+PMcBpE og==
Received: from LLEX2019-02.mitll.ad.local (llex2019-02.llan.ll.mit.edu [172.25.4.98]) by MX2.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 59AKaY57097731 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 10 Oct 2025 16:36:34 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=lj/cnrOUWALVJJFO+vl4/4KD5YP8IbWvO/4qpqJrpdFKu7Mo2SqV+52FHaNwvfltB+iaFulHbzZrH6bzGefm8ZxN5SWnXHb26bGTHiqn7TRInCUxvgadhjsZdDCUtCzusdY6up43UWt53ZRIp0i746tSrn6fKv/29xgj92tXedptjtfFzuCELik0F955UACUhVbW2xc/p7G6EixvkKc/iRGrJQLly5aNQIk1E0WrkxAvviexiuq0TLfVnfRt+rK7gjQAQV2UYTUyPF1p9I3X/HJTHUHXythVXwdjRW7r76GIFWTGpmY421BMfbyptSwV+k5zFPagqdGa7/t8qoQUeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HKtdi+UJFFM93VIWNfH/uaX7MLb63jUNYa3a4QE3R2E=; b=f/1XOMgDuMr3xuz8LCX7cavm9/gjDf/mEbdTERcqaA3j/yhCnBg4iZptWVdMwGfTE/ItnQq1vcspg/Kf45XBRfCmuuXRJM+e6T+9V+8F1LALPH9wtOaZKlxWeKhqp+HMefKXjkMOj9PdlSAaU3Gyg29qfn4qk1UxbRVGdAlz10CopokzpabH+YpKc7F+YG6hsbsroqxfih7S/YNzXaXwfjyeoIARk1XzhLHqKBK8Qbfna/bNaGqpGatYI6r/EORMZXt+ER3GecAAYoaiuFShVDLWIIFOU0rBnbmJ7scNridF+krQ7L1ktkWjR0OSN5td6vzgRPB7wMEpSyQ3qYMcUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Thread-Topic: [EXT] [TLS] Re: [EXTERNAL] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thread-Index: AQHcOht/gVjshW1KRkGySEMwn3DqQrS7xREAgAAGewCAAAHJgIAAAYKAgAAAsICAAAHwgIAAAFoAgAAFCIA=
Date: Fri, 10 Oct 2025 20:36:31 +0000
Message-ID: <551EC460-8C2F-4FB5-B95C-D11DCD84BB61@ll.mit.edu>
References: <CAFR824wG_3h3P0cM_oe4sAA2T9si2KteZRvi3UbzC7gs6hV7hQ@mail.gmail.com>
In-Reply-To: <CAFR824wG_3h3P0cM_oe4sAA2T9si2KteZRvi3UbzC7gs6hV7hQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|SA1P110MB2306:EE_
x-ms-office365-filtering-correlation-id: cf19ca8d-0fe5-4931-135e-08de083cb244
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|366016|10070799003|1800799024|4022899009|4053099003|8096899003|13003099007|4013099003|38070700021|7053199007;
x-microsoft-antispam-message-info: 4DVcW5/qgj8vFv9sJPSDeKSL1ytgzErpAdjrb4tOamYkTZgIRQ/2/6smd0I4TFtkVcA3URiE+imtSTi3+wrAoaTHz4NPB650ZWKGM7LyNW8oAbcASjyquxvlzGahHZGNIx5jkTJZbUIGG0tgBAMu4uB3zTGrpzXvxX5A6utqHJfdu+dksdewQptyEfzeEZtJpMsccdUy7SvUl5RxxZpW+RGcSn+0pYsQTktS65plTxQtLik4OZighvi9nhxINhdq29Gb9fysLral+tGMHJJ8RekoADPo6XZdPNmNQ09pC/e9QzQlEViiAdbZ0NpzrHFAitoUUwlF67o4XP0qfzrT8rL3uqWMDGaOSndrlk8uocNgbhcnT4cQ09sInM5cdw0c5iszVe012PhVIr0Yy6eD+ihfChFR9HTFonX6Q8Nj7Hm3OUUQyaKjUUSjulHKwyUnbzaYKwqyvnAT3KdFoSAKAqXsW3g1DPX8+VvJPuc6C+G4F7mVCxnlh6/Kh4nLeKE0faqQsOrCbM1/GKZdGmfxufOSjHCcOClNaY1ZWwbD78S/T3FjRc9J57eh2mm7qjFOSQvkiVMQ4mlsMNRmeKNr9618Lz3OcL1jsDI3eXWd2abHV198xHlxXDaeK3SdPSw3ynVrY11mc3CTnYauI9ighTmuvuVLKSdc8BId6bufl9hhLin3/CYFucOzGdEwKMbVq6ID1606ANhDlPw9m9BXBpnAYt4V7cD3DhzmE3iY3FI+lBKrMMNL53dRwSveLh6Bb0Qti22hxvlmWwKnM5nKLs+3/eB40eoekM1441lCye4rCiqeQ+hBmP2sQuw61LS/vWo+1SwrhHEd9JQiM+t8eb+tiFsCDdsajIXSl6w64Dd0d5WYDP/rKBAV+xAXxHBMVvQwHXgyTCinFhYTPe+b9EHEyTcrRMbRWj1BMBJhecRSy6wjxF7Pehnwl0voF/DzuSihQaCDNWhUM/COI1KEa62Qoer6vF7idz78gVwDbiY2gs+4mW1ZTdKWAdzHVuTXenSkOw26pTyJuPuxFhqD/8U5KT/Yt4aFoECDzERtccWcInMv4u2HP2o1UiK51hEhNP6DqfxuLuh75/u/Bc7sjOMgW5FXkJkne96LE6vvTCOaVz/jTMH3vnHAklQGtLmrmYngQe70ZEI6R35eWq4O6ljVucnnYOH+jzFLloFTZYOGfmP7812g202gH6DyEBVBnRc/w5E5D29c7WxagsVpKlzXQ3/v25thplFQw5BgdWaChBB8yYGCVO5MPNArNiqe/BZS1TfxYY6fxuC0M1mrv+Ryk5R87Jw4aE1/g6GGVyBQ1N3hAzNKJMF3YuG+16MRclVfufbEfCVK4MwYlNNW1qdpGRPb0a2APWW1SsNXLQ3MftGaeslGXEA9m0VLnjU/Bhde+Ze+iF6koqQqE6m4cjI2J2ATDUT1rN9MU/ThJGaVKCipkr+Mk+2B1vHflbc1lrpgqEXn9JAQZl8tTDWNmOIQH/7xMld7QPW79J0ZQqi1W4rDy+lLr+5RP25s2rKK
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(10070799003)(1800799024)(4022899009)(4053099003)(8096899003)(13003099007)(4013099003)(38070700021)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iqa91HF5wGOgkgunhY0Z3KbCk+7HD9LN+V+TfUZVqs7Sp4Ww1JbQK65eMKxFevZo9hLRD2d98+4+TJNcz9WeFW46VnuqKZXUAsqF4yxolEF5tmtIVFMCNxeXGx8AeMJy/Ldo+S9BBBff0UnwYe/yWtpScOLQXRENgPRA0SgDmH1TWQgWhAWkfk0mnyY6wvVgX0IuZbMn9BWJpHIO9Kb7QAIqBlnFOSA7NNb/7Puevq5Vq0sB5XHVGgen2KVVrt4+CEBk+QTmdW6eEulJh51OLqs68+tkuy0KfIx4Nhyp2/928pLamT4h8iuichE3vaGziHdQzYE9WPoV03l+sQFkhYfX4zgytGQvB+7bAwFRx8idRDKlftM47Lz3XhGm2kYY6sIZzytbJI7FSAr2yj1nKxqdDnct/d1g8C/t4clEewvh5xog7+IlY9MmS+NFSlTfI7m8GtB/yzd+xiCfThQq0aOhc9Sf4a8R+ngdaIXJE3ye8yQzQ1RkRfwIVonDeLFq++qNCW7UfQ2A5URkBPA1nsBonGLH5l0p4/ZhkjirDOxxXcL6SLIq7fLI6MUYVUKBRZX2v4H+KgCYhgA4z1854V5uzOfwYLq/nxBJDMN0hiLbqrlm9PJn3td4UbMSYktYL4g6ioLEuOePS+zCmwhN3hFGDiCKBz3dkFUXudzRm1B7AOT3Gl4SGefHZeEWFjWq6B6stUUqREKIjOsgGGQtooa6WY7FrZnmP8GLKzHv6bYHPO+q8IWfOXKoxdUAqpMSnCBHbxpxI62OInn42EZDLfEC+fe7ESwiD+u9N2rqhAumcUHFQipgyzamygH+1SGfoprglQ1SEy6AQskmq0CrPeTwKdTRBgMtq+958FyQWzMbZcDqYzxOG+XUPJLydaw0/UkuLd+7AOiUwWJhR0nKeO8Ufv6xEcYjLSx8BlB0UqmUa8B70yix/HuWi67nCvNmL14EAfZBLgxIXCiOqDI7y/ZzZSuT6bnagV170aP+4vP0l0jhNi/82wHXJTpS+lRZbFDCBDzAIzTp7JE7/jFMIlsiR5BTy5Q7FJ9FZT3p4qiwGAjaGiextxKYmkhIZQGkcq2lcESUMLdSdZx7xmbOILWfrkyVyvAkzB2xYXanZaUDo4m1iN3ci1gg7Ck2dRvQ7GatGR7kzGfctfOd2e502beqFAA7io2W7jCRgO0acTHS4lZCOA1Du6EOpugx0iNwORVhZfVd4Ey4FJezMFgTFYL/L5QhvC9o78ROm8K40JnYudDobeZZ9UPyXt0baaYEqLxR8gbEZQaKkFNMTNwemL13UXNf7soFTEZXYsThYaPRGin7zZVdFpT6OwqcbhVH5eqO7s3sM8bDHosgh8nH4svSKM/JbC+OQr8g/kReysY=
Content-Type: multipart/signed; boundary="Apple-Mail-6D434D03-7A4C-4361-9A3C-6E5E926A5EE0"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: cf19ca8d-0fe5-4931-135e-08de083cb244
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2025 20:36:31.4915 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1P110MB2306
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDEwMDExOCBTYWx0ZWRfX514aKLuOF7UQ ngstALwYy1CjkuQczg6WhVMy3b+1fDFSpbXLdODKvl/KMAin/yT2jZXv5BEXyQABxbLvEl6sPoy 8qK6MjAlABtP8LNvJnDtOuaHDLMb+dkGO6JvGVx9f8izkq2iSWh4KjuV6cQGxXrUgFauGJ0CItS Y61ePR+Q9rHScKstp3eTTo4VDUoRlymWHYel/aa8LOadCv8jGatPlF6JBUrsjL+IN690nsg3/kS ex+L4PzxX8ljuPsXlyHoxc+LihjVCN0aT4zjmk1DN15Qr0a78HsQ==
X-Proofpoint-ORIG-GUID: zgIR37pzEochI3sYA69UqPePOaIDAUoE
X-Proofpoint-GUID: zgIR37pzEochI3sYA69UqPePOaIDAUoE
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-10_05,2025-10-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxlogscore=999 adultscore=0 spamscore=0 bulkscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2510020000 definitions=main-2510100118
Message-ID-Hash: F27NTAM6XRPP6DUCM66RH7DFDILZAAQU
X-Message-ID-Hash: F27NTAM6XRPP6DUCM66RH7DFDILZAAQU
X-MailFrom: prvs=4378e19ae6=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>, "D. J. Bernstein" <djb@cr.yp.to>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3fGgU5jtXXivZUDCLQWaMOTqP5Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Yes , Hybrid is weaker because it contributes little/nothing[1] to cryptographic security and increases attack surface by adding another code base. 

[1] The only case when Hybrid helps is when both CRQC is not a threat **and** PQ algorithms falls to a classic attack (like SIKE). Thus, deploying hybrid because you want to protect your date against “harvest now, decrypt later” Quantum attack is a non-starter. And that attack is the main reason people are hustling now, rather than wait for several more years. 
Regards,
Uri

Secure Resilient Systems and Technologies
MIT Lincoln Laboratory

On Oct 10, 2025, at 16:19, Deirdre Connolly <durumcrustulum@gmail.com> wrote:


If you are fine with ML-KEM, you should be able to use it on its own. That's it. On Fri, Oct 10, 2025, 4: 17 PM Rob Sayre <sayrer@ gmail. com> wrote: Hi, Alright, but that's the issue. I hope we can stick to that point. "migrating
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside the Laboratory.
 
ZjQcmQRYFpfptBannerEnd
If you are fine with ML-KEM, you should be able to use it on its own. That's it.

On Fri, Oct 10, 2025, 4:17 PM Rob Sayre <sayrer@gmail.com> wrote:
Hi,

Alright, but that's the issue. I hope we can stick to that point.

"migrating beyond hybrids and for users that need to be fully post-quantum."

Where does the need to be solely PQ arise? Is it weaker in some way to use a hybrid?

thanks,
Rob


On Fri, Oct 10, 2025 at 1:10 PM Deirdre Connolly <durumcrustulum@gmail.com> wrote:

On Fri, Oct 10, 2025 at 4:07 PM Rob Sayre <sayrer@gmail.com> wrote:
Hi,

That does not answer my question: why?

The hybrid draft has a rationale:


thanks,
Rob

On Fri, Oct 10, 2025 at 1:02 PM Deirdre Connolly <durumcrustulum@gmail.com> wrote:
The drafts and the profile currently do not make Recommendations or MTI's, they make the options available; ekr has now raised promoting one hybrid option as Recommended = Y. Not everyone can or should use the same options, we have a diversity of curves for example

On Fri, Oct 10, 2025 at 3:56 PM Rob Sayre <sayrer@gmail.com> wrote:
On Fri, Oct 10, 2025 at 12:33 PM Deirdre Connolly <durumcrustulum@gmail.com> wrote:
CNSA 2.0 does not support hybrids in general, and their TLS profile only supports ML-KEM-1024: https://datatracker.ietf.org/doc/draft-becker-cnsa2-tls-profile/" target="_blank" rel="noreferrer nofollow">https://datatracker.ietf.org/doc/draft-becker-cnsa2-tls-profile/

Hi,

But why is that? See this thread from the IETF general list:


As pointed out in that thread, all of these drafts seem to conflict with the rationale in draft-ietf-tls-hybrid-design.

thanks,
Rob

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.39.1 | Report a Bug | By Email | System Status