[TLS] Re: [EXT] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

Soatok Dreamseeker <soatok.dhole@gmail.com> Tue, 30 June 2026 23:13 UTC

Return-Path: <soatok.dhole@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8B40610B39369 for <tls@mail2.ietf.org>; Tue, 30 Jun 2026 16:13:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782861224; bh=LyiQ5O5H0KvA4dNiabdl14CZU47qlWrVecbBPbJMtxs=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=KEYwW97PEKjQxL82KFbcjW/ZY3Ylb95ti6XxSUIFIr+tgzUevsVib9vz3aF3Y++o6 /oF4Lo+Y4/8F75230RLDi37fYel5ne+FIZJ1RG8EQo8b5ohf8NZVKBpmUXdv59jtvX v52/pGyZGCwnR1gagT3dz0hWc7i1Aodi/nkZZuEI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cw62wkNLUkY7 for <tls@mail2.ietf.org>; Tue, 30 Jun 2026 16:13:43 -0700 (PDT)
Received: from mail-yx1-xb12d.google.com (mail-yx1-xb12d.google.com [IPv6:2607:f8b0:4864:20::b12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6CB7010B39346 for <tls@ietf.org>; Tue, 30 Jun 2026 16:13:43 -0700 (PDT)
Received: by mail-yx1-xb12d.google.com with SMTP id 956f58d0204a3-664d910cc75so3019976d50.1 for <tls@ietf.org>; Tue, 30 Jun 2026 16:13:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782861223; cv=none; d=google.com; s=arc-20260327; b=grsHz3YY6ufFPzJBGrrGYSsiRIERRG+boHHgHzRPdabohEzHZC35dY/FIjo8LW7yMJ IS+1RhR+BM9OD+51wIAb7cWBhkDnIjdQkJoXs6IPZNk/lmrqv491hRUF9R0FywfF0yJJ 9GYY+9e51TiB609Xui/Ng9QVVB9t1cDS0juFOPmUFNxIAMgJ5eVQHSYTQiV97wGS9FvA OzhSUdvZg29bDdp8kZF8BTQIrTpw5d+ZCqLUE+Ng+p0ZVHtmIZU6KyIAgZ6ppBSzWNtx RWqIldQV316stMQcVxuJ3Qbf3CZL1t0gpuwZbYLVyo4gDQ3PiAGH6Oan0VjwbhA+bi30 ZSVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=Cco2mwW7ly+KqAVCTnXiJBOKdi6dAdjn3k3uCluitx4=; fh=UdzPofgqOt8gXCLZjvvk3f+LKeDb11j8/AV9s1/cyX0=; b=DjR/zK7CP4+6+VPhMP9cjq6nUYZBqslzUIA+BMPoCXFGDkzGuEg3VivY2sF5mYBbVF clLakTr8poAl/nwRxKXBVfbKq8GOLJ6PZCBtALX00PRu1D6owSzs7J/0n/nbc9teY+oe ouEY1s+pWfyf053XzwK2YM0Aq9BKYinMkCxSaq6G1QVL99gdk7GF06Uy4Oi4Vwa8xGxA pz7DQXLbTz5m64QGOvSiKa1rVW8V62z2AWh7dbkM/dubS8GaTTsRiUQtrtTRs8uqmnkq +ZWBOA+rM+twyLIdTEv+wnQ3KBLy+YQgXT3hSHnz07a1IBVB9NsdRxHtXSKoUfFH5eQG g7mQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782861223; x=1783466023; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Cco2mwW7ly+KqAVCTnXiJBOKdi6dAdjn3k3uCluitx4=; b=XbtMwUp5eoYrCFLJ/33nY4550jiv1Ark/MD+i5lPYUweao8z5sQsj5iJ6AnMnlAbMq RxXXuVzuaSJIgvVPgFYMYD9E4voDXZUEKSBu6nGzfA4K9Codlfq1OjpD5jW8i7qsUYrl VajHK9OYzaaMJK6jyJjBBw9FZrjv3dosVqVceVUHej2HaTtvz5oCPUDN5GAAmYFhpl42 SKIcfS5ICzVbwr5oezZqBj4UVPoo5EQDGFRGME5Pyyvc1EIV1seSgJct/OpEssoGws01 AGeXkP6jDMPSjS1SseMhIBelceFX6KjYMKM28A0qkCsPfBGmoLgznvm+2RUuFXIJQ3Ui 4Riw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782861223; x=1783466023; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Cco2mwW7ly+KqAVCTnXiJBOKdi6dAdjn3k3uCluitx4=; b=WjpwH3GE6wpL/ygSfSqZPCIm+X5x8bx3kiQvFYSp3cyznZCOduHQCCIB8wR8jDvt85 kiagKoCTbagWjPUCyz1zMixFkyLZ760oH+3VOlbvJuhyIDpfDNdzCWNdSqn0sn84U6ez LwkN8kLMDB0VWzjtfX3WzrFOQyQrgL0V5oiBrWgeB6DVlmgBZOPBxAD0pybPV1zUPRxq NDuVNdlx1T5JTOeZT3/0bMzfh+l8hV2caT5E01o9WR7OtaNhJEciNF9X+WpCA/b2yTz1 G/0L2EbpgwZXfTn8T2loRUTfuRQP7xBK0h2SXnnb/1RYSZ6l087whtVC3lISJrgxLdCd 79IA==
X-Forwarded-Encrypted: i=1; AHgh+Ro5TWue8LlvvIdXYfGbfLqRiNpSlO3AlYaV66tUZonmYEdJ81k++pRXm9of1KzfjoguDjA=@ietf.org
X-Gm-Message-State: AOJu0YyDaruPnYen2bEXi/P4cmx/k142tw/dKNotd9qKXAxIgouNS843 HXWwNe6R9o1+QkGSOwiwunoMHSWB3FpIG8RGzhnceuQXU5yEDiZ1VSTyij2R9Hveq8ga5gRc9DG Pap2yNjHn5Bj+1W2mjm4QvShGvJWMU0w=
X-Gm-Gg: AfdE7cnP1UhdQAF8/qUaJo7C9dnTsZHMsP7c13QkA/VPQ5Lzu0IJEBaGSImYbyd2O9b s1rICK4kOcKPpzE5sEHEKNVsG8Jc1MVF73faokgXKUaWuumo7HINHxjNdn6iTYtv7qApVrKKH15 C2mzAEgwmWNh5iuzt5nRZZjpfvFA6hZghfSlMW/CqN6HuxhjwiacSSLk5bj83gM95toYwRHuNtv Bq1UB63ygWqGkvHm+dB9xAp0ytRwoOl11qYvlscPKIJkPztgTY2CTbS1E0J4EJUpopfK6jv90fG 5Nk9KvD1d/Qu6zv66pnqEJgQmAdcZjmPVAh12X857C8O1q7oWtCRfPcALeYU94HLtk8xaIg/trM 7jYNaYttzBESM8k/pbMxuNjT+pKd0lRFCt2Q/UpyBBRXNNj8=
X-Received: by 2002:a05:690e:134d:b0:664:c18d:cc65 with SMTP id 956f58d0204a3-664f9a22323mr5454752d50.64.1782861222789; Tue, 30 Jun 2026 16:13:42 -0700 (PDT)
MIME-Version: 1.0
References: <akQtnH-z417KPh12@lady-voodoo.lan> <0656002E-640C-4140-8A64-1547E6716707@ll.mit.edu> <CAChr6Sy=JSyN46cEYgV6azxqY9FF4gaQdQfU2S74o5W32xfSSQ@mail.gmail.com> <CAOvwWh1A7hFmLPgUftmLoNtNJ8YtQrb1616cqB32ZBdExpg_sA@mail.gmail.com> <akRDT6lg-u8swZo_@ein.win.tue.nl>
In-Reply-To: <akRDT6lg-u8swZo_@ein.win.tue.nl>
From: Soatok Dreamseeker <soatok.dhole@gmail.com>
Date: Tue, 30 Jun 2026 19:13:32 -0400
X-Gm-Features: AVVi8CdJYHelhJp2bOw2A35haBMvZShs73v7OErJZLaGzjXoh9a58dcHNUU6xzo
Message-ID: <CAOvwWh0pNnRXESGvBw-JhhiVD818z=g77iijOK=+Mc2FbDtuKg@mail.gmail.com>
To: Tanja Lange <tanja@hyperelliptic.org>
Content-Type: multipart/alternative; boundary="000000000000de4596065580b903"
Message-ID-Hash: SQRXUMVY3SDD3TZWAS2OJKXM4SC3SLY7
X-Message-ID-Hash: SQRXUMVY3SDD3TZWAS2OJKXM4SC3SLY7
X-MailFrom: soatok.dhole@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Bertrand Jacquin <bertrand=40jacquin.bzh@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>, "draft-ietf-tls-mlkem@ietf.org" <draft-ietf-tls-mlkem@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rjaz224m2rOhnCC8znFq9A4O4G0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

If you are aware of a weakness in ML-KEM, please enlighten us.

On Tue, Jun 30, 2026 at 6:29 PM Tanja Lange <tanja@hyperelliptic.org> wrote:

> You mean the competition where Rainbow got broken in February 2022, a few
> months after the end-of-2021 date which NIST had announced as the planned
> end
> of the competition? Where GeMSS had its underlying hardness assumption
> pulled
> out under it in November 2020? Where we're having an entire extra
> competition
> on signatures because of this? Where an IND-CCA2 issue in HQC was found
> after
> it was selected for standardization? Not to mention all the other systems
> that
> went down along the away, despite being seemingly based on solid
> assumptions.
> Did you count how many of them used lattices?
>
> Funny enough there doesn't seem to be anything wrong with the "moon math"
> as
> far as we know, it was just the usual issue that a hard math problem got
> weakened in the process of turning it into a cryptosystem, the torsion
> points
> had always been the most likely issue, we just didn't see the right tool to
> use them. Are we going to say the same about power-of-2 cyclotomics in a
> few
> years?
>
> In the short term I'm more concerned about implementation errors, given the
> scale of the new rollout, and consider it reckless to give up on existing
> protections that have gone through years of vetting and fixes. In the long
> run
> I'm not convinced that what we'll switch to after ECC + ML-KEM is ML-KEM,
> it's
> much more likely that by then we'll have a different system -- in the
> optimistic case because we can do so much better (already now we have
> systems
> that are smaller and/or faster and based on the same ideas as Kyber, 9
> years
> more of research make a difference), and in the pessimistic case because we
> need to increase the parameters or even move to a different system. I don't
> like the term "agility" and have complained about the misunderstandings it
> creates, but any change in systems now should be done in a way to make the
> next one easy.
>
> All the best
>         Tanja
>
> On Tue, Jun 30, 2026 at 05:20:44PM -0400, Soatok Dreamseeker wrote:
> > Something that has already happened to a moon math submission that was
> not as
> > widely understood as lattices. SIKE being broken was the international
> > standardization effort successfully working to motivate folks to find
> attacks
> > against novel cryptosystems. Using it as an indictment of an unrelated
> > algorithm is alarmingly ignorant.
> >
> > On Tue, Jun 30, 2026 at 5:13 PM Rob Sayre <sayrer@gmail.com> wrote:
> >
> >     On Tue, Jun 30, 2026 at 2:09 PM Blumenthal, Uri - 0553 - MITLL <
> >     uri@ll.mit.edu> wrote:
> >
> >         People seem to keep forgetting (or ignoring) the whole purpose
> of the
> >         PQ.
> >
> >         If your data won’t remain sensitive by the time CRQC arrives -
> you
> >         don’t en need a hybrid. Just use your Classic ECC, experiment
> with PQ
> >         or not, and prepare for eventual transition at some point in the
> >         future.
> >
> >         If your data will remain sensitive - then the difference between
> “it
> >         got compromised today” and “it got compromised with CRQC” is
> small, and
> >         ECC won’t help at all.
> >
> >
> >
> >     That's not the argument, though.  It's that classical attacks might
> break
> >     the PQ algorithms. Something that has already happened.
> >
> >     thanks,
> >     Rob
> >
> >     _______________________________________________
> >     TLS mailing list -- tls@ietf.org
> >     To unsubscribe send an email to tls-leave@ietf.org
> >
>
> > _______________________________________________
> > TLS mailing list -- tls@ietf.org
> > To unsubscribe send an email to tls-leave@ietf.org
>
>