Hi Rich,
Are you so confident of all global deployments of TLS that you can assert that pure MLKEM is never worth the efficiency gain?
Did I ever assert or even imply such a strong statement? If so, please provide a reference to my email and exact sentence which led to this interpretation.
Also, "never" is doing a lot of work in your statement. My concern is right now, not forever.
I believe efficiency is dependent on so many other factors. Anyway, if that is the main motivation, elaborating "Efficiency gain at the cost of security" in draft is exactly something which will make it less objectionable from my perspective. I have requested the former in the form of "motivation" and the latter in the form of "risks in security considerations".
And who would you believe if they told you otherwise?
I trust you! but users and policy makers will most likely not read out our beautiful debates on this list. They will read the draft. So please just write it down in the draft.
--- Hi Uri,
Please note that you still haven’t answered Daniel’s question: what more of technical reasoning are you missing for ML-KEM?I believe I did. Read [0] in the context of project IEEE 802.11bt. I believe algorithm security and protocol security are two separate issues.
And whose expert opinion, besides Dr. Bernstein's, are you willing to accept?
First, I believe that's not the right question. It isn't about whose opinion I accept (hold on, who am I to accept or reject?); it's about the technical arguments they have raised. A couple dozen participants -- including but not limited to John Mattsson, Tanja Lange, Joshua Nabors, and Stephen Farrell -- have raised substantive concerns. I believe we have addressed John's concern on key reuse via consensus call [1]. I would like the WG to give due consideration to the rest of the concerns.
Second, I believe these "debates" do not belong to the TLS WG. I have mentioned quite a few times by now that we should dispatch these debates over to CFRG to get their attestation.
--- Hi Nico,
I strongly support Viktor's ask for guidance. Unfortunately, that is not what's happening in the draft repo. Hence, my worry.Viktor is not against publication, but wants guidance saying that at this time we prefer hybrids
Best, -Usama [0] https://mailarchive.ietf.org/arch/msg/tls/OqtPeFy43oFjZO89lb4RfdGkmkg/ [1] https://mailarchive.ietf.org/arch/msg/tls/HXlf6FvX4B6NmH0zeffiTiXCXw8/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
