SP 800-227 is already required by FIPS 203 for the use of ML-KEM in applications. Referencing SP 800-227 directly, rather than just indirectly through FIPS 203, is not a technical change.
SP 800-227 disallows the use of an ephemeral key in more than one key-establishment execution. It permits the reuse of static keys, as well as the reuse of ephemeral keys across multiple key shares, provided that only one of those shares is used for key establishment. John From: Kris Kwiatkowski <[email protected]> Date: Monday, 20 October 2025 at 13:29 To: [email protected] <[email protected]> Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 Just to be crystal clear - that would be a way to disallow a key reuse in TLS v1.3 when using MLKEM (as per RS6 in Section 1.3). Correct? On 20/10/2025 12:05, John Mattsson wrote: Hi, I am cornered with the current PR #53 suggesting that SP 800-227 “provides general guidance”. This is not a correct description. As stated in FIPS 203, SP 800-227 provides requirements for the use of ML-KEM in applications. TLS 1.3 is such an application. Unless the working group wants to discuss each requirement in detail, I would suggest just adding: ”As stated in FIPS 203 {{FIPS203}}, SP 800-227 {{NIST-SP-800-227}} provides requirements for the use of ML-KEM in applications.” In general, I think it is very important that IETF follows NIST requirements when using a NIST algorithms like ML-KEM. Cheers, John https://github.com/tlswg/tls-ecdhe-mlkem/pull/53 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf _______________________________________________ TLS mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
