Just to be crystal clear - that would be a way to disallow a key reuse
in TLS v1.3 when using MLKEM (as per RS6 in Section 1.3). Correct?
On 20/10/2025 12:05, John Mattsson wrote:
Hi,
I am cornered with the current PR #53 suggesting that SP 800-227
“provides general guidance”. This is not a correct description.
As stated in FIPS 203,SP 800-227 provides requirements for the use of
ML-KEM in applications.TLS 1.3 is such an application.
Unless the working group wants to discuss each requirement in detail,
I would suggest just adding:
”As stated in FIPS 203 {{FIPS203}}, SP 800-227 {{NIST-SP-800-227}}
provides requirements for the use of ML-KEM in applications.”
In general, I think it is very important that IETF follows NIST
requirements when using a NIST algorithms like ML-KEM.
Cheers,
John
https://github.com/tlswg/tls-ecdhe-mlkem/pull/53
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
_______________________________________________
TLS mailing list [email protected]
To unsubscribe send an email [email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
