Eric: I agree. DSA also had a super small possibility of a signature failing. If it ever happened, one would generate a new k value and try again. I understand it never happened, and peple stopped talking about the failure case...
Russ On Mon, Sep 22, 2025 at 9:04 PM Eric Rescorla <e...@rtfm.com <mailto:e...@rtfm.com>> wrote: > Hi folks, > > I see that the hybrid doc continues to have this text: > > Failures. Some post-quantum key exchange algorithms, including ML-KEM > [NIST-FIPS-203 > <https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-16.html#NIST-FIPS-203>], > have non-zero probability of failure, meaning two honest parties may derive > different shared secrets. This would cause a handshake failure. ML-KEM has a > cryptographically small failure rate; if other algorithms are used, > implementers should be aware of the potential of handshake failure. Clients > MAY retry if a failure is encountered. > > There was extensive discussion about this for the pure ML-KEM draft, and my > sense was the sentiment was that this should not be discussed, at least for > ML-KEM. I think we should remove > this whole section. > > -Ekr > > _______________________________________________ > TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org> > To unsubscribe send an email to tls-le...@ietf.org <mailto:tls-le...@ietf.org> _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
