IETF Logo Mail Archive

[TLS] Re: forwarding draft-ietf-tls-mlkem-05 use case

Joshua <joshua@marionberry.net> Tue, 17 February 2026 17:33 UTC

Return-Path: <joshua@marionberry.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8BC18B8E6649 for <tls@mail2.ietf.org>; Tue, 17 Feb 2026 09:33:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=marionberry.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLsqnMYO2Nj4 for <tls@mail2.ietf.org>; Tue, 17 Feb 2026 09:33:15 -0800 (PST)
Received: from mail-4399.protonmail.ch (mail-4399.protonmail.ch [185.70.43.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B8399B8E5D2C for <tls@ietf.org>; Tue, 17 Feb 2026 09:31:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marionberry.net; s=protonmail; t=1771349471; x=1771608671; bh=eXKJdFw1KXijAEEziaonAvCtuDEo3loObaeFHWy0ulM=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=Wjl+AkJoAHzEcNMJAB5CT1nN1aQER7cNT3rssz03SLlpI+5dNszAmFgcDKZtwbTbd NeSTh1Sa8OWYURfcKuAaQDpeF23ItVGIDy7D884W/mw+NTIZrONRMuGRSXM5V0gREb mPZaViTh0kJoCxWLLMubn1mVBZHR7KQmkyutef0QZIfQ7CB17XcQDUOiDObZ4k3uug gAv3wbKtlECT55thqFHGaWU8J6mCx3bCZw9g7fcNv8qwIlShXQ/AYoAUCi7asdAHFd 1D+J+ifb/Sx7Z1Tj/EUlDM4wY/GFo1unHEmql/QfW30kGHeClOiKFIHahwv74Rc+cJ TjLJU436DnORg==
Date: Tue, 17 Feb 2026 17:31:05 +0000
To: tls@ietf.org
From: Joshua <joshua@marionberry.net>
Message-ID: <QoU2sZuraBPD8Ak_h7dueHinUBEXa-y2P0riVkyeZM7d1iwOMVjQHaEQB7BESm7fjDgKh2z9BSyC7gsxAKAsWz5ssi5UsGtZw8eJstR2IWQ=@marionberry.net>
In-Reply-To: <aZSjqJmagFIPRXWB@chardros.imrryr.org>
References: <350ec383-ae75-cadf-ab47-41811d5d9cec@nohats.ca> <aZSjqJmagFIPRXWB@chardros.imrryr.org>
Feedback-ID: 131523398:user:proton
X-Pm-Message-ID: 9a0492f42ea2d51cb410fb67b526f7109033eeb8
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------9870c6d8abebdafe5e94c351f2c345cbb968964fc5825cd370891fdf70726fcf"; charset="utf-8"
Message-ID-Hash: YZTBSU7P7E3K42LDJZVFCJ4QFQKYPPNV
X-Message-ID-Hash: YZTBSU7P7E3K42LDJZVFCJ4QFQKYPPNV
X-MailFrom: joshua@marionberry.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use case
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C178GqFpiUOUYrHkfZK1vQ2xkmk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I completely agree with Viktor’s statement. While I don’t understand the protocols supporting high frequency trading, I find the claim that HFT is bound by the handshake time dubious. I also wasn’t able to support the claim that HFT traders even use TLS at all; my understanding is that HFT traders use private connections that don’t have any encryption, just raw TCP/IP. My understanding is that the vast majority of third-party service providers only perform a TLS handshake directly before logging on, and use a stream protocol like WebSockets for further messages. 

It just doesn’t make sense to sell a high-frequency product where a TLS session must be opened before every trade, as that would also imply logging on/validating authentication before every trade, which would add extra latency as well. Any product that does this wouldn’t be competitive compared to other providers that optimize for latency.

I’d love to hear more from this trader because, as always, I could be wrong. But it seems to me like there is no aspect of high frequency trading where logon/session establishment latency is critical.

Best,
Joshua Nabors               
                               

-------- Original Message --------
On Tuesday, 02/17/26 at 09:22 Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
On Tue, Feb 17, 2026 at 11:02:08AM -0500, Paul Wouters wrote:

> I was asked by a TLS participant to relay some information publicly
> regarding their pure PQ mlkem use case. I have rephrased their ontribution
> in my own words below.
>
> 	There is a use case for MLKEM in the market of high-frequency
> 	trading.  Apparently there were complaints from those users (eg
> 	traders) in the past about the performane impact of migrating
> 	to TLS 1.2. If there is a performance drop with TLS 1.3 with an
> 	MLKEM hybrid, then migration to PQ (or TLS 1.3) would stall. If
> 	they can offer a (even tiny) performance gain of TLS 1.3 MLKEM
> 	over TLS 1.2 ECDHE, then this individual would have a strong
> 	case to deploy PQ security. Otherwise, the traders will insist
> 	on waiting until a CRQC is publicly known to exist.
>
> The individual stated they are in favour of adoption the pure mlkem
> document along with the hybrid document so people can pick either,
> depending in their use cases.

This does not look to me like a compelling rationale.  A high-frequency
trading system that does not route trades over a connection that was
established well before market open, and expects to beat the competition
by minimising connection establishment latency, is perhaps doing it wrong.
For already established TLS connections latency does not depend on which
key agreement group was used in the initial handshake.

In environments where resumption is typically available, TLS 1.2 can
somtimes offer lower amortised connection latency than TLS 1.3, because
TLS 1.2 does not redo key agreement during resumption.  While in TLS 1.3
interoperably negotiating "psk_ke", rather than "psk_dhe_ke" can be
quite challenging.

One might also point out that the payload of high-frequency trades is
not likely to be a long-term secret.  Old news by market close, if not
in a matter of minutes or seconds.  So harvest-now decrypt-later does
not look like a significant threat model in this use-case.

Why not just negotiate X25519, the smaller Client Hello packet size
likely more than makes up for any speed advantage from ML-KEM-768,
and its performance is quite competitive: (on my low-end CPU):

                                  op/s
     253 bits ecdh (X25519)    33494.6
                             keygens/s  encaps/s  decaps/s
                 ML-KEM-512    54360.7   80885.2   53943.8
                 ML-KEM-768    36473.2   60446.3   39872.6

Since for ML-KEM a client will do both keygen and decapsulation, X25519
may well be faster all around with little apparent reason to rush into
either pure or hybrid PQ in this use-case.

--
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.40.1 | Report a Bug | By Email | System Status