Yep, the upcoming SP 800-227 draft says that officially, order doesn't matter, at least in terms of the hybrids defined for TLS 1.3: https://doi.org/10.6028/NIST.SP.800-227.ipd
I don't know if "anything" hybrid with ML-KEM is theoretically FIPS but it does make things easier. On Thu, Feb 27, 2025, 2:16 PM Salz, Rich <[email protected]> wrote: > I thought that I remember (sic) that NIST said that hybrid key exchange, > where one was FIPS approved, was still FIPS approved, and further that the > order did not matter. Do I remember correctly? And, if so, does that mean > “anything” hybrid with MLKEM is FIPS-okay now? > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
