On Mon, Feb 23, 2026 at 04:34:46AM -0800, Eric Rescorla wrote: > On Mon, Feb 23, 2026 at 12:20 AM Muhammad Usama Sardar < > [email protected]> wrote: > > > > > Since this draft clearly seems to be controversial, I am still failing to > > see why chairs are not asking for expert review of FATT to resolve the > > matter. So, I once again request the chairs to initiate FATT process. Maybe > > chairs can collect all related analysis and send these pointers along with > > the request. > > > It's not clear to me what you're hoping to learn from the FATT > analysis. Is there some question about the properties of the > combination of ML-KEM with TLS assuming that ML-KEM is > in fact IND-CCA secure? I understand the question to be > about the security of ML-KEM proper, which the FATT process > is not designed to assess.
It is not possible to directly prove that IND-CCA implies that KEM is secure for TLS 1.3, because IND-CCA is trivially broken in TLS 1.3. However, it is possible to prove that IND-CCA implies OW-PCVO (assuming the opposite leads to contradiction), and OW-PCVO implies the KEM is secure for TLS 1.3 (the setup is straight from the game). Which implies that IND-CCA indeed implies that the KEM is secure for TLS 1.3. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
