[TLS] Re: forwarding draft-ietf-tls-mlkem-05 use case
Eric Rescorla <ekr@rtfm.com> Tue, 17 February 2026 18:08 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C7634B8ECCE4 for <tls@mail2.ietf.org>; Tue, 17 Feb 2026 10:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q15LSK50dm_4 for <tls@mail2.ietf.org>; Tue, 17 Feb 2026 10:08:04 -0800 (PST)
Received: from mail-yx1-xb136.google.com (mail-yx1-xb136.google.com [IPv6:2607:f8b0:4864:20::b136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 060B7B8ECC6C for <tls@ietf.org>; Tue, 17 Feb 2026 10:08:04 -0800 (PST)
Received: by mail-yx1-xb136.google.com with SMTP id 956f58d0204a3-64ae5f0777dso4302947d50.3 for <tls@ietf.org>; Tue, 17 Feb 2026 10:08:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771351683; cv=none; d=google.com; s=arc-20240605; b=Psz9bys5eM6koLZNfZG7bc8iCWkC18Gn8VokEntgGHZW8Hcy0FT7MOps1joGq573Z/ 9f4AdqZiuSJUTbZm/ZOjlTMETDtK1Dohs6yvee1sGYImdlmTPjWXiaM3ItInEdKC18NN oRJUE5iZs064BT+xeYkUEKZSrYpH652aeXLpp656U3S5qMuFIKK1h0cn3h4UUGdiEFmo qBjEQqPnwLS0LDWaaddFCTb6W6MWqJ14p7FNqNgY0ggfOnN6A4bBB2gFM82DkXweivhO VgvQIz8MiQYfijymoltuXEJrOTxrC/tkM9bqIHnkhkHYwq/vFaRKNddsJAtVMjCc2lOg a5Tg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=xrvFvoxwxyU8X1xcxkO9vHfOFchXd+nWYjNVdJukduo=; fh=pKNaM6CvENuZdsYiCY53hS8ZBDlDMpyzKXnPE2jXilc=; b=SHLj3+cKvzk/OZ3VDPzgSr4z47TYXeUjC1Pa/TRgI4UzwFxmDF1x1FldNnJA4pBEni zy+Rl/1MhEdG/PzabLvv/QyWvmVkiuAayCrqkRDcWp6upSCooTe5UaEW3tFDhUvBOQuq OvcwrOxWqwO81knHJsF9ANpdv93oxG71TVVCFMat5u7kmqaHRjwFLgJVuPeMLm5mQbcw gO4X7D54PnLL4MvfV36+NmS8x0jFcbQh1JSZBDH4Z1l02vqKcWn4+xQ7Pmu9rOouVAk/ Qj+0IizBU5BWY61dGhGybkWzHZeXc+f6gXNk9xLZEHAX9HlmyFahNk7zr9FUalljUwMI ThiA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1771351683; x=1771956483; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xrvFvoxwxyU8X1xcxkO9vHfOFchXd+nWYjNVdJukduo=; b=pzw2rwjs9s/tb/kwJHQlOx76mjd/GrcXdGi2J0LQh3TRi3dzHQ56Cz9asjDDmhkxw0 ctIUdGfMcNC+NNwjwA7PeRfaJhMKwlX8S1m4s8JmDYRy8DH65bRUpLarb2j3MBVL1LhB rP93GyksjgMnsl2PsNARfi4M5UkDCdfKAbm7RI8jPfW1N7MkoDdlQ2aklHwjb/wTa6tB YFigojt25KOzpYV5PDSAuF7+/HF1hKfPPjWSDK51IyU0poBXEMlgUA2yJEgfD9fNVUO3 TP9nxPKCrhmWFjGNSsRZG0J7CXiSmQpBrTarlNWHKwj4+/v2ccWmcZkrTPqldTcIPoLd J06Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771351683; x=1771956483; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xrvFvoxwxyU8X1xcxkO9vHfOFchXd+nWYjNVdJukduo=; b=iGm+kYQ8qZeTfciB2irzW7H5V2qd7pJ4EW0RnfFV45ZS7A0D9V7gTw+oy1+n0GFH0x NqXodM2wjkKsxquuskrYBPQrjGy8sggjGwuCjjYkJ5iiJlCiWbnXMRACl6+PvdLZxIxl x905f4+tTtNURgJuXPxxIrufXWhGhO+iw6/H6OpPeL11iDQXGiWO7BkqLtoFJyqHvK9Q khgJ4kXZrYlkOs2eRKcwgWOidPqK/dUoydRZL3+osyhH3RrdZoeGrg0Nvy1j3c2PCmas sxA68BQa0D0Fz+V4p66NfkTsSbYMMYspIMW64Yop3VtMWtHrhf+fearXkKRWalYacxc+ Zu7w==
X-Gm-Message-State: AOJu0YwIkZGX00yswXMhc9XSe8K1WhWEkwf8a4ZnUh3fgayRzRPuAGLM lMG0VjkIV6TVCc1ceLrJPjwyyM3r0vch/cI0F2vDMoho4EcgCeHTTy37gcPnaWyTZStz5GurjGF 8MyVLVp5e021DwvCvs4SBdnZcmlrRwsOS+7dVzQNYQA==
X-Gm-Gg: AZuq6aIgy+hcBmumLSAiK+5Ri2w/emOIibscQa+V+3nlE00uEJ+0j8cqGSEKGKuVUz/ DeF0hIFkEbV5bcIm9wkh+hCFDeZZp4m7Q/M3VjfWfLxTuMqiXGwb9eRpZqLm4JkIVVKahyMEiuD jN/Hg08DVOxeyHcrN9Hb7Ys7/xhVLJrZpv2iZ9+CmZzuiM/bbm50TsqYUaKzceiqcwx1wmJ8o2L uOowoaNqgDw/L+WmqIu1MSE9Mcagl/oTZMNl0mM6OcbawvyyG1dMXRP25kpEQx6FjRkTZ01o/tg H4BIEAKgqX8F5BizrfVK77bOMMbO3LWMeAvlYfvlqDdOUGwduinV9/wY3vUyhksA2VAHbhEeygR LG//YFSYnWwXfcSqyqCeIFA==
X-Received: by 2002:a05:690c:6612:b0:796:4235:ea0d with SMTP id 00721157ae682-797a0cacb70mr248827507b3.37.1771351683329; Tue, 17 Feb 2026 10:08:03 -0800 (PST)
MIME-Version: 1.0
References: <350ec383-ae75-cadf-ab47-41811d5d9cec@nohats.ca> <aZSjqJmagFIPRXWB@chardros.imrryr.org> <QoU2sZuraBPD8Ak_h7dueHinUBEXa-y2P0riVkyeZM7d1iwOMVjQHaEQB7BESm7fjDgKh2z9BSyC7gsxAKAsWz5ssi5UsGtZw8eJstR2IWQ=@marionberry.net>
In-Reply-To: <QoU2sZuraBPD8Ak_h7dueHinUBEXa-y2P0riVkyeZM7d1iwOMVjQHaEQB7BESm7fjDgKh2z9BSyC7gsxAKAsWz5ssi5UsGtZw8eJstR2IWQ=@marionberry.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 17 Feb 2026 10:07:27 -0800
X-Gm-Features: AZwV_Qhf9ilapD_aEfXQ1sxi29YR4--Fk22agt_rn5sgCZvpjZ0CzSqYv-SJIkg
Message-ID: <CABcZeBP93tQPcZQ4Qa8kdYyn4Of3VyvcEcpgKjMa1v+67sWY-A@mail.gmail.com>
To: Joshua <joshua=40marionberry.net@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000db7f0a064b08f3f1"
Message-ID-Hash: VLZXIVYDBZW5K677E7M6KRNBQ33TDPDW
X-Message-ID-Hash: VLZXIVYDBZW5K677E7M6KRNBQ33TDPDW
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use case
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/k70x1ehYrtxljXgYZ4LUEgotHgc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I generally agree with the points others have made here, but I'm also inclined to heavily discount this kind of anonymous input. The converse of the expectation that people speak for themselves is that people actually speak up. -Ekr On Tue, Feb 17, 2026 at 9:34 AM Joshua <joshua= 40marionberry.net@dmarc.ietf.org> wrote: > I completely agree with Viktor’s statement. While I don’t understand the > protocols supporting high frequency trading, I find the claim that HFT is > bound by the handshake time dubious. I also wasn’t able to support the > claim that HFT traders even use TLS at all; my understanding is that HFT > traders use private connections that don’t have any encryption, just raw > TCP/IP. My understanding is that the vast majority of third-party service > providers only perform a TLS handshake directly before logging on, and use > a stream protocol like WebSockets for further messages. > > It just doesn’t make sense to sell a high-frequency product where a TLS > session must be opened before every trade, as that would also imply logging > on/validating authentication before every trade, which would add extra > latency as well. Any product that does this wouldn’t be competitive > compared to other providers that optimize for latency. > > I’d love to hear more from this trader because, as always, I could be > wrong. But it seems to me like there is no aspect of high frequency trading > where logon/session establishment latency is critical. > > Best, > Joshua Nabors > > > -------- Original Message -------- > On Tuesday, 02/17/26 at 09:22 Viktor Dukhovni <ietf-dane@dukhovni.org> > wrote: > On Tue, Feb 17, 2026 at 11:02:08AM -0500, Paul Wouters wrote: > > > I was asked by a TLS participant to relay some information publicly > > regarding their pure PQ mlkem use case. I have rephrased their > ontribution > > in my own words below. > > > > There is a use case for MLKEM in the market of high-frequency > > trading. Apparently there were complaints from those users (eg > > traders) in the past about the performane impact of migrating > > to TLS 1.2. If there is a performance drop with TLS 1.3 with an > > MLKEM hybrid, then migration to PQ (or TLS 1.3) would stall. If > > they can offer a (even tiny) performance gain of TLS 1.3 MLKEM > > over TLS 1.2 ECDHE, then this individual would have a strong > > case to deploy PQ security. Otherwise, the traders will insist > > on waiting until a CRQC is publicly known to exist. > > > > The individual stated they are in favour of adoption the pure mlkem > > document along with the hybrid document so people can pick either, > > depending in their use cases. > > This does not look to me like a compelling rationale. A high-frequency > trading system that does not route trades over a connection that was > established well before market open, and expects to beat the competition > by minimising connection establishment latency, is perhaps doing it wrong. > For already established TLS connections latency does not depend on which > key agreement group was used in the initial handshake. > > In environments where resumption is typically available, TLS 1.2 can > somtimes offer lower amortised connection latency than TLS 1.3, because > TLS 1.2 does not redo key agreement during resumption. While in TLS 1.3 > interoperably negotiating "psk_ke", rather than "psk_dhe_ke" can be > quite challenging. > > One might also point out that the payload of high-frequency trades is > not likely to be a long-term secret. Old news by market close, if not > in a matter of minutes or seconds. So harvest-now decrypt-later does > not look like a significant threat model in this use-case. > > Why not just negotiate X25519, the smaller Client Hello packet size > likely more than makes up for any speed advantage from ML-KEM-768, > and its performance is quite competitive: (on my low-end CPU): > > op/s > 253 bits ecdh (X25519) 33494.6 > keygens/s encaps/s decaps/s > ML-KEM-512 54360.7 80885.2 53943.8 > ML-KEM-768 36473.2 60446.3 39872.6 > > Since for ML-KEM a client will do both keygen and decapsulation, X25519 > may well be faster all around with little apparent reason to rush into > either pure or hybrid PQ in this use-case. > > -- > Viktor. 🇺🇦 Слава Україні! > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] forwarding draft-ietf-tls-mlkem-05 use case Paul Wouters
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Viktor Dukhovni
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Bas Westerbaan
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Joshua
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Eric Rescorla
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Peter Gutmann
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … Muhammad Usama Sardar
- [TLS] Re: forwarding draft-ietf-tls-mlkem-05 use … John Mattsson
- [TLS] Re: [EXT] Re: forwarding draft-ietf-tls-mlk… Blumenthal, Uri - 0553 - MITLL