On Thu, Sep 25, 2025 at 12:31:21AM +0000, Wang Guilin wrote:
> "The failure rate for ML-KEM is extremely low, so it is not necessary
> to address it in this specification."
I don't think this is sufficiently clear. What does "extremely low"
mean? Should the implementer care about it or not (despite lack of
further clarification in the specification)? So I still think it is
best to say nothing at all, but if a claim is to be made, it would
have to a stronger statement, that is more clear:
The failure rate of ML-KEM with honest inputs is of theoretical
interest only, its probability is negligible and SHOULD be ignored.
Implementations SHOULD NOT attempt to distinguish between failures
given bad inputs and essentially "impossible" failures with honest
inputs.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
