Hello,
As discussed during the TLS session at IETF 121, we would like to propose the
adoption of draft-kwiatkowski-tls-ecdhe-mlkem.
There are a few open questions that need to be addressed:
1. **Alignment of NamedGroup X25519MLKEM768** with the order of shared
secrets, as per Section 3.2 of draft-ietf-tls-hybrid-design.
- I suggest updating the name to mlkem768_x25519, while keeping the
codepoint unchanged (if that is acceptable). If
this change is made, I also recommend changing the name of
Secp256r1MLKEM768 to align with x25519.
2. **Changing the order of shares in Secp256r1MLKEM768**.
- The current order is based on requirements from SP800-56C-r2, and it was
chosen to facilitate the migration of the TLSv1.3
handshake in a flow requiring FIPS certification. Although the switched
order of shares aligns with FIPS, it necessitates
the re-certification of the cryptographic module. The current order
supports modules that are already deployed in the field.
My (slight) personal preference would be to proceed with adoption but
switch the order only if NIST relaxes the requirement
regarding the order of shares in SP800-56C-r2, which we know is under
discussion. Otherwise, I believe the current choice
better supports migration to non-hybrid MLKEM, but I would appreciate
feedback on this decision (ideally from others who
have a requirement for FIPS).
3. **Setting RECOMMENDED=Y for Secp256r1MLKEM768**.
Additionally, we plan to register Secp384r1MLKEM1024, but I believe this
should only be done once we reach a consensus regarding
point 2.
Thank you!
--
Kris Kwiatkowski
Cryptography Dev
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
