Hi David,
* After a little time to give early Kyber adopters time to migrate, we'll roll the change out more fully. Are you planning to offer X25519MLKEM768 key share on the initial ClientHello (in addition to X25519), or just advertise for those servers willing to burn a round-trip? Cheers, Andrei From: David Benjamin <david...@chromium.org> Sent: Tuesday, September 10, 2024 1:35 PM To: Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org> Cc: <tls@ietf.org> <tls@ietf.org>; p...@ietf.org Subject: [EXTERNAL] [TLS] Re: Planned changes to Cloudflare's post-quantum deployment Thanks Bas! We plan to do the same for Chrome, replacing X25519Kyber768Draft00 with X25519MLKEM768. X25519MLKEM768 should be live now to a small fraction of Chrome Canary, so that servers have some clients in the wild to test against. After a little time to give early Kyber adopters time to migrate, we'll roll the change out more fully. (Due to how TLS 1.3 works, transitions for large KEMs are not the smoothest. Hopefully draft-ietf-tls-key-share-prediction will be ready for the next such transition.) David On Fri, Sep 6, 2024 at 7:03 AM Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org<mailto:40cloudflare....@dmarc.ietf.org>> wrote: Hi all, We are planning to replace X25519Kyber768Draft00 (0x6399) with X25519MLKEM768 (0x11ec) [1], a hybrid of ML-KEM-768 and X25519. We will support X25519Kyber768Draft00 and X25519MLKEM768 at the same time for a while to allow clients the opportunity to migrate without losing post-quantum security. Apart from these two, we also supported X25519Kyber768Draft00 under codepoint 0xfe31 and X25519Kyber512Draft00 (0xfe30). We logged zero uses of these two in the last week with a 1/100 sample rate. We will disable 0xfe31, 0xfe30 over the common weeks. Best, Bas PS. Not sure I shared it here already, but we have public graph tracking client PQ key agreement deployment: https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption-adoption At the time of writing about 17% of all human traffic (by request count) with us is using X25519Kyber768Draft00. [1] https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/ _______________________________________________ TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org> To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
