Eric: I agree. DSA also had a super small possibility of a signature failing. If it ever happened, one would generate a new k value and try again. I understand it never happened, and peple stopped talking about the failure case...
Russ On Mon, Sep 22, 2025 at 9:04 PM Eric Rescorla <[email protected] <mailto:[email protected]>> wrote: > Hi folks, > > I see that the hybrid doc continues to have this text: > > Failures. Some post-quantum key exchange algorithms, including ML-KEM > [NIST-FIPS-203 > <https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-16.html#NIST-FIPS-203>], > have non-zero probability of failure, meaning two honest parties may derive > different shared secrets. This would cause a handshake failure. ML-KEM has a > cryptographically small failure rate; if other algorithms are used, > implementers should be aware of the potential of handshake failure. Clients > MAY retry if a failure is encountered. > > There was extensive discussion about this for the pure ML-KEM draft, and my > sense was the sentiment was that this should not be discussed, at least for > ML-KEM. I think we should remove > this whole section. > > -Ekr > > _______________________________________________ > TLS mailing list -- [email protected] <mailto:[email protected]> > To unsubscribe send an email to [email protected] <mailto:[email protected]> _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
