[TLS] Re: forwarding draft-ietf-tls-mlkem-05 use case
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 17 February 2026 17:21 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B206BB8E1282 for <tls@mail2.ietf.org>; Tue, 17 Feb 2026 09:21:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PbPZXM32vkr for <tls@mail2.ietf.org>; Tue, 17 Feb 2026 09:21:54 -0800 (PST)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 26083B8E1275 for <tls@ietf.org>; Tue, 17 Feb 2026 09:21:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1771348904; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : content-transfer-encoding : from; bh=Te1EFzlMANodz3mrFQ+RbbtKmrSsHarII/d6RHKJ56o=; b=b0o1uYgL2Cvzf9HIiT5sYjwKTt0NmHPuHF2CN9oFE5abg5RMwDCDFnqVPkj/fXSP9VhN0 EB1r04o2OqUHb1cD5Oekj4JW0Mzq67shzCQdTXF7DfDd48zC1TqJ7cnCZcptPqZOuxGB8Tk 9QTOxq53qJEd+t+hmQ7p7uBcv+JZk3E=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 3EC529355B9; Wed, 18 Feb 2026 04:21:44 +1100 (AEDT)
Date: Wed, 18 Feb 2026 04:21:44 +1100
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <aZSjqJmagFIPRXWB@chardros.imrryr.org>
References: <350ec383-ae75-cadf-ab47-41811d5d9cec@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <350ec383-ae75-cadf-ab47-41811d5d9cec@nohats.ca>
Mail-Followup-To: <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VQ2SBCKFDUMV47UZK54KTTFEJOASAMZ3
X-Message-ID-Hash: VQ2SBCKFDUMV47UZK54KTTFEJOASAMZ3
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use case
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/e4omkKmsx-q4Wf1__xroTDG5ImM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Tue, Feb 17, 2026 at 11:02:08AM -0500, Paul Wouters wrote:
> I was asked by a TLS participant to relay some information publicly
> regarding their pure PQ mlkem use case. I have rephrased their ontribution
> in my own words below.
>
> There is a use case for MLKEM in the market of high-frequency
> trading. Apparently there were complaints from those users (eg
> traders) in the past about the performane impact of migrating
> to TLS 1.2. If there is a performance drop with TLS 1.3 with an
> MLKEM hybrid, then migration to PQ (or TLS 1.3) would stall. If
> they can offer a (even tiny) performance gain of TLS 1.3 MLKEM
> over TLS 1.2 ECDHE, then this individual would have a strong
> case to deploy PQ security. Otherwise, the traders will insist
> on waiting until a CRQC is publicly known to exist.
>
> The individual stated they are in favour of adoption the pure mlkem
> document along with the hybrid document so people can pick either,
> depending in their use cases.
This does not look to me like a compelling rationale. A high-frequency
trading system that does not route trades over a connection that was
established well before market open, and expects to beat the competition
by minimising connection establishment latency, is perhaps doing it wrong.
For already established TLS connections latency does not depend on which
key agreement group was used in the initial handshake.
In environments where resumption is typically available, TLS 1.2 can
somtimes offer lower amortised connection latency than TLS 1.3, because
TLS 1.2 does not redo key agreement during resumption. While in TLS 1.3
interoperably negotiating "psk_ke", rather than "psk_dhe_ke" can be
quite challenging.
One might also point out that the payload of high-frequency trades is
not likely to be a long-term secret. Old news by market close, if not
in a matter of minutes or seconds. So harvest-now decrypt-later does
not look like a significant threat model in this use-case.
Why not just negotiate X25519, the smaller Client Hello packet size
likely more than makes up for any speed advantage from ML-KEM-768,
and its performance is quite competitive: (on my low-end CPU):
op/s
253 bits ecdh (X25519) 33494.6
keygens/s encaps/s decaps/s
ML-KEM-512 54360.7 80885.2 53943.8
ML-KEM-768 36473.2 60446.3 39872.6
Since for ML-KEM a client will do both keygen and decapsulation, X25519
may well be faster all around with little apparent reason to rush into
either pure or hybrid PQ in this use-case.
--
Viktor. 🇺🇦 Слава Україні!
- [TLS] forwarding draft-ietf-tls-mlkem-05 use case Paul Wouters
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Viktor Dukhovni
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Bas Westerbaan
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Joshua
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Eric Rescorla
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Peter Gutmann
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Muhammad Usama Sardar
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … John Mattsson
- [TLS] Re: [EXT] Re: forwarding draft-ietf-tls-mlk… Blumenthal, Uri - 0553 - MITLL