[TLS] Re: Proposed Text on hybrid vs non-hybrid | Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27)

Mon, 02 Mar 2026 13:46:43 -0800 

On Fri, Feb 27, 2026 at 08:35:26PM -0500, Deirdre Connolly wrote:
>    This Message Is From an External Sender
>    This message came from outside your organization.
>     
>    Trying to pull this up to its own subject
> 
>    Here's a stab at more text around hybrid vs not-hybrid in Security
>    Considerations:
>    # Security Considerations {#security-considerations}
> 
>     This document defines standalone ML-KEM key establishment for TLS 1.3.
>     Hybrid key establishment mechanisms, which support combining a
>    post-quantum
>     algorithm with a traditional algorithm such as ECDH, are supported
>     generically via {{HYBRID}} with some concrete definitions in
>     {{ECDHE-MLKEM}}. Hybrid mechanisms provide security as long as at least
>    one
>     of the component algorithms remains unbroken, such as combining
>     quantum-resistant and traditional cryptographic assumptions. Standalone
>     ML-KEM relies on lattice-based and hash function cryptographic
>    assumptions
>    -for its security.
>    +for its security. Proponents of hybrid PQ/T key establishment generally
>    +consider it a conservative approach to deployment of newer post-quantum
>    +schemes alongside older traditional schemes, retaining at least the
>    security
>    +currently offered by traditional algorithms.

I think this is perhaps missing the point of my concern ... while I do think
that we should have more text in the security considerations about the
perception of relative risk between hybrid and non-hybrid PQ usage my
overarching concern is that the TLS WG needs to have a consistent overall
position for documents being published ~contemporaneously.  Which is to say, I
think we need to acknowledge that in {{HYBRID}} we are giving guidance that,
generally speaking, hybrids are preferred at present, and indicate why the
mechanisms in this document diverge from the general guidance, so as to place
the two documents in a consistent posture overall (presumably, by carving out a
specific subset of cases in which this document applies more specifically than
{{HYBRID}} does).

I don't see any of that in this proposed text; my proposed text was attempting
to achieve this goal by referencing the "sense of the security community
recorded in {{HYBRID}}" and linking back to the use-cases in {{motivation}}
that provide some justification to avoid hybrids for those use cases.

-Ben

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to