[TLS] Re: ML-KEM recommended column
"D. J. Bernstein" <djb@cr.yp.to> Sun, 08 June 2025 00:17 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9B03F323B05C for <tls@mail2.ietf.org>; Sat, 7 Jun 2025 17:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GN6eFngmmH8G for <tls@mail2.ietf.org>; Sat, 7 Jun 2025 17:17:33 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 0E11B323B057 for <tls@ietf.org>; Sat, 7 Jun 2025 17:17:32 -0700 (PDT)
Received: (qmail 4400 invoked by uid 1010); 8 Jun 2025 00:17:31 -0000
Received: from unknown (unknown) by unknown with QMTP; 8 Jun 2025 00:17:31 -0000
Received: (qmail 4085043 invoked by uid 1000); 8 Jun 2025 00:16:48 -0000
Date: Sun, 08 Jun 2025 00:16:48 -0000
Message-ID: <20250608001648.4085041.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <f0425eaf-dfc5-474c-94c3-9a50f71fff22@app.fastmail.com>
Message-ID-Hash: Y67Z7F6OZEEY4PLITNKUZS2NCFIFO74I
X-Message-ID-Hash: Y67Z7F6OZEEY4PLITNKUZS2NCFIFO74I
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-KEM recommended column
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/raIaeSpfMWwVbh2FSRkkhFqXlqc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Filippo Valsorda writes: > 2025-06-07 19:49 GMT+02:00 Loganaden Velvindron <loganaden@gmail.com>: > > ML-KEM implementations may suffer from compiler optimizations that could weaken > > the security properties of a pure ML-KEM implementation such as Kyberslash. > That is both a general risk Indeed, even for something as traditional as ECC, we're continuing to find implementation vulnerabilities (such as CVE-2023-6135 in Firefox; see https://cr.yp.to/papers.html#safecurves for many more examples and in-depth analysis). Presumably what we're now seeing from compilers (see generally https://cr.yp.to/papers.html#cryptoint) will produce some exploitable problems in ECC software. > independent of the algorithm, Wait, why would one expect every algorithm to have the same probability of implementation vulnerabilities? Every report tracing vulnerabilities to particular algorithm features is evidence to the contrary. For example, we have a clear understanding of how some curves lead to point-validation disasters while others don't. The latest wave of compiler issues needs more study, but it would be astonishing if this affects every algorithm equally. What's very easy to see is that switching from ECC to PQ has a higher probability of implementation-security disasters than using an ECC+PQ hybrid. This isn't denying the possibility of compilers screwing up _both_ the ECC part and the PQ part; it's saying that leaving out ECC increases user risk. This is one of the reasons to recommend hybrids. > and in the specific case only applicable when reusing public keys. Regarding the three different timing leaks discovered so far in the reference Kyber software, it's true that the first demos of key extraction have targeted keys used many times. However, seeing that a demo works in situation X doesn't say that the underlying vulnerability is exploitable _only_ in situation X, never mind the whole class of vulnerabilities. These demos succeeded using only low-bandwidth information about the time taken by the Kyber software. Higher-bandwidth timing channels are known and presumably would allow attacks using fewer dec invocations, especially in the context of hyperthreading, enclaves, etc. Maybe using a key for just one dec is safe, but maybe not. ---D. J. Bernstein (KyberSlash coauthor but speaking for myself)
- [TLS] ML-KEM recommended column Bellebaum, Thomas
- [TLS] Re: ML-KEM recommended column D. J. Bernstein
- [TLS] Re: ML-KEM recommended column Bellebaum, Thomas
- [TLS] Re: ML-KEM recommended column Loganaden Velvindron
- [TLS] Re: ML-KEM recommended column Filippo Valsorda
- [TLS] Re: ML-KEM recommended column Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: ML-KEM recommended column Bellebaum, Thomas
- [TLS] Re: ML-KEM recommended column Bas Westerbaan