IETF Logo Mail Archive

[TLS] Re: ML-KEM security considerations

Soatok Dreamseeker <soatok.dhole@gmail.com> Thu, 16 April 2026 15:01 UTC

Return-Path: <soatok.dhole@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8947FDD9E0C6 for <tls@mail2.ietf.org>; Thu, 16 Apr 2026 08:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776351703; bh=9hsqR5ENpfwNMMXJ7xt5FzNpXXOBrOH+5n1TegkKRoc=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=zJ9EZBQT5ldAy9WasPHqWR3TErS1LTvlIsSTbLwNta/hxajTpVB/MELB2YHFb89Fi LuGCpxkTh2ScGezFQq/uFTDW4E/d79eddsjFV9FxVjTTMzl6U2MWUZsIl/VEoU0hq1 1tWpNTOjGlkeAKlR/63VbHqy+QCvgDByP/S+0LQs=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0rpdfvmWJxU for <tls@mail2.ietf.org>; Thu, 16 Apr 2026 08:01:42 -0700 (PDT)
Received: from mail-yx1-xb12c.google.com (mail-yx1-xb12c.google.com [IPv6:2607:f8b0:4864:20::b12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 55FC6DD9E0A7 for <tls@ietf.org>; Thu, 16 Apr 2026 08:01:42 -0700 (PDT)
Received: by mail-yx1-xb12c.google.com with SMTP id 956f58d0204a3-6501c9903edso8947904d50.1 for <tls@ietf.org>; Thu, 16 Apr 2026 08:01:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776351702; cv=none; d=google.com; s=arc-20240605; b=S/eyNN9ONiJklMos2+vAMQmG+Yj4X7i5me+W3D35HcpWEFAkrvXGY2lukAqHOjX2vh 7v67fv3dVaze20myN4KzgW+mhy6CDqHtOjyTFxEE8kFommLcJ+1NmMwnu1D10a+bTWrc eglv1T0Z2ql0U7c0/m/9+kxm7YWTky3oqtWpUDlffN9GHbF/vJsdufiv6U7aAwNYGNkt TtF9I0zG0TTf8lSXpWpNKcklHXg6ngB9dX5E9j/JAQVrG4Ak6n3dg+JR5c6a4RoYh/iI pA/D3AhfcGs7knl1sOMGrn8m03dO1TtFI8H8Dq4RqfDFg8tpsBgMnJTlnjG1a4a60uZW cdgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=9hsqR5ENpfwNMMXJ7xt5FzNpXXOBrOH+5n1TegkKRoc=; fh=z+d+ZGnfUiS/a5pYTcBoIF1FWLjMIbS8KNqOvG93eJ4=; b=H1UAIFo3qYbzLQEu56wyus+xqKtJPVzEN2Lyhk8REDPPEeW0TLVKCznzePzPNvLbGi is7fu+cRZDZdI2dX5Qpltw/crli3TCLqB07LBBIZbJLErAwgWMlaZ87Eo1KntVjUdccq kYGVfFriEAndbMRI7BYAJU/qhcnuWNYF02BATCetDrblxlEK4gtK1QL6Fique3TpHU58 7IUyHOYR59nMxKSES//8uA9GKE0PSfX3lGfCOHJfTsb8D1+404NQHIqvf1ePsnqiQ6MT z+EBr3uI41JjE1fvIitwd7QfrXTyK6W6FgOfgkU7YhGTik89ID8bOTStS69oxycjVHcr faZA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776351702; x=1776956502; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9hsqR5ENpfwNMMXJ7xt5FzNpXXOBrOH+5n1TegkKRoc=; b=AWL6Whk0QNYfCZn+/9c9CfS7dCCZNhrwvYWLUVPL2qFIty4Ql6wlEzB+AEjY7PSUg6 6XnYtZSyxNIjURPZgGiSKt/75hqv5HCS06+ppNoTv4ODD28yCBylIpAC4D1OrKpdZeiA bIWzQRSQyhufSeWSPcHTPdKk0B7COHohpfSlTyTSlxAXL1PgbV6RMIlT4aaYylOHtXwg Qj59oeKQM94si6Rcns6rOu/L2sPgJ0eDmxX7B2QmYsISDwWok/WoUOzS7RwAfD1KyAPq UaAOSE6XDPefH/EJgML/AnDRrY1+0m4A/Z0vbMFBFcH7e4qhm1Yp0Yt3HLysVJ0KYnTX zw1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776351702; x=1776956502; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9hsqR5ENpfwNMMXJ7xt5FzNpXXOBrOH+5n1TegkKRoc=; b=MbnRdriEo2hoAgvK94XlC70dcSIM9hFKoLDcv2bzHQS5EimxzBb7we3S2wvSRLySgM zwv/GWdKioF6gtrEVaUIOAw7QBA0KTJt3JTua8ERBtMfgv/KIrvZsZ2b9UxL3o5t/Nd1 j3RSkrENpl9QEbYrJlIZc6U54wvK5WNsdl5DqsDfcEj+VT5aN5/3Bq/B3ek4hJw/EmXh JMC+tLkFiZKhKrUM+T8l1vahMhHiQ6AjJsCqYmMtMuDgDeULymoTbq+3if8EJIWpqOpC GX/vw9uJRDFtpyiruqYmGT/o82A9lN7xhl8+RXSnlRKeBePiCZRZBcTy8W+ezIilTsq2 gQWQ==
X-Forwarded-Encrypted: i=1; AFNElJ92Qu/rmAJOSN06VW9i0JkWnX+CTh4gEf407vOcbVyO7QEmedjf6lxBCNS2ue/c/CwFTu8=@ietf.org
X-Gm-Message-State: AOJu0YxEvSKYYeGBjkZ0VbhE6m7QL4FzNJha+SLCYbwWFuBBA+brvrMS qnKIxelfIm+cyqfZBh4gATKAuaNp9Em05ArOBUx9PrckDwPt8iCdSPUlwQ3Cn7eqnqGO0EVdk7p 1rn50hFesgqH2D3xX+MYqp0Kh2FcOzjk=
X-Gm-Gg: AeBDiev0uwRfW8THqvxiS2NCUxZpKdOuWdRTkGDdEKF/fc3ql+weMWDcW1mIf9mQsGB ExLlVwcT511EoDVaBuOqa560Id6JyRVOIwvTyONe+L78LrkdydbcQtMyojZUz5Vt8pjKoRbbKAP WDZ/uAzj/RomSL/XXy/Kk0fuO8N/CeeHcnUh2JB9t09XHNsIXVDxu5Q3tJtVsEKgeIskd5pOda5 IXTpl5CEgO9eSEeIL97tk80AOTKe0NavpTvqjJLHf0sedX0y2y035Vn3bHdGF0OF09T6MkeOJY0 yTCrS6PT0WshBrMBkZQ0sbDqnYVQhIrx6PzzmeTZKSCCN2UNwXHZBNMtT8Ko0bGgZ20NBnQbfwH 9DmnUD5Wb6cTNnvc61MhTVty1tTR5GcJmN7l9lHNnDODtanrx6IkaPpvb
X-Received: by 2002:a05:690e:1247:b0:651:bd06:e4d4 with SMTP id 956f58d0204a3-651bd06e8bfmr17701287d50.43.1776351699069; Thu, 16 Apr 2026 08:01:39 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR17MB4031C02ECAC48452E131D245CD592@MN2PR17MB4031.namprd17.prod.outlook.com> <CAFR824xYZYkN1NyOKn704hR42A6s3tXeSKUFYUQ16twKPTnc4g@mail.gmail.com> <CABcZeBMgu6+X6Wip=s-nP+JL7PCfE+UMAx-UMLU20EhmN_r5Gw@mail.gmail.com> <CAPxHsSLedc=PbTtpLrza7+dD-_8chb8Ba6as9U-p5Z4oVhSNOA@mail.gmail.com> <69dfb420.050a0220.3ad330.8de4SMTPIN_ADDED_BROKEN@mx.google.com> <CAMjbhoWhAa5tfrEFs+LVL7nAZ5-43HhZ6-b9qHT1+sp_kixhvA@mail.gmail.com> <69e0efde.050a0220.130653.1a39SMTPIN_ADDED_BROKEN@mx.google.com>
In-Reply-To: <69e0efde.050a0220.130653.1a39SMTPIN_ADDED_BROKEN@mx.google.com>
From: Soatok Dreamseeker <soatok.dhole@gmail.com>
Date: Thu, 16 Apr 2026 11:01:26 -0400
X-Gm-Features: AQROBzCio6pQsXGxfpIorMIElDM4KDTt9M9tFMS8bf_h3fWpzFpcruS3bgiOBPE
Message-ID: <CAOvwWh06tpEg3aXD3-v_rgdjbBsOQ6PoGkp_bS=xzc8N6TZhFg@mail.gmail.com>
To: Wang Guilin <Wang.Guilin=40huawei.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000005074f064f951c09"
Message-ID-Hash: IXOCZDCSXQPCZTZRVSJMVFAULFSQK6WQ
X-Message-ID-Hash: IXOCZDCSXQPCZTZRVSJMVFAULFSQK6WQ
X-MailFrom: soatok.dhole@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Daniel Apon <dapon.crypto@gmail.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-KEM security considerations
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3nZWg1ScXymdAdgbps3eZIs0FeU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

We need to be very careful with the weight we give hypotheticals. I can
imagine nightmarish hypotheticals that would send any rational person to
reach for 1024-bit symmetric key encryption and gigabyte asymmetric, but
none of those are realistic today, and anyone who tells you they are is
more marketer than security analysis.

The current estimate I've seen for the attack cost for ML-KEM-512 is around
2^{140} or so. If that's accurate, then even if you (through clever novel
mathematics) made the attacks 1000x faster than the best we have today,
we're still sitting comfortably above 2^{128}. Anything above 2^{100} still
seems out of the reach of adversaries today. So there's already some margin
baked into the weakest ML-KEM security level, and the one that I (and
others) are actually planning to ship is ML-KEM-768 (with or without
X25519).

One could even argue, as JP Aumasson did in *Too Much Crypto*, that our
security margins are already too conservative and we're sometimes leaving
performance on the table to hedge against attacks that, so far, have not
materialized.

Instead of hand-waving about hybrids (which will offer no real benefit over
PQ once a CRQC exists, but is sometimes the path of least resistance in
getting people to adopt PQ at all [1]), I believe we should spend our
attention tokens on deepening our overall understanding of other hard
problems that are well-suited to cryptosystems so we can have more
algorithm diversity in the future. For example: SQISign seems cool. Can we
do better than that? Can we make it constant-time?

Happy hacking,
Soatok

[1] I've written at length about the PQ vs hybrid topic recently:
https://soatok.blog/2026/04/13/hybrid-constructions-the-post-quantum-safety-blanket/

On Thu, Apr 16, 2026 at 10:19 AM Wang Guilin <Wang.Guilin=
40huawei.com@dmarc.ietf.org> wrote:

> Yes, it is true.
>
> But still, it is about the possiblity of security drop or the confidence
> of a PQ algorthm in the near future.
>
> If such a PQ algorithm is as stong as it is expected in the near future,
> then pure PQ migration is clearly good.
>
> *发件人:*Bas Westerbaan <bas@cloudflare.com>
> *收件人:*Wang Guilin <Wang.Guilin=40huawei.com@dmarc.ietf.org>
> *抄 送:*Daniel Apon <dapon.crypto@gmail.com>;Eric Rescorla <ekr@rtfm.com>;Salz,
> Rich <rsalz=40akamai.com@dmarc.ietf.org>;TLS List <tls@ietf.org>;Wang
> Guilin <Wang.Guilin@huawei.com>
> *时 间:*2026-04-15 17:58:01
> *主 题:*Re: [TLS] Re: ML-KEM security considerations
>
> Today, we believe both PQ and T are 128-bit secure. However, 3 year later,
>> PQ becomes 108-bit secure while T is still 128-bit secure.
>>
>
> Hence we're not using ML-KEM-512 for that eventuality. ML-KEM-768 and
> ML-DSA-44 both have a comfortable margin above 128 bit security.
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.40.4 | Report a Bug | By Email | System Status