Hi David,I respect your opinion but just some food for thought without going into a long debate:
On 27.04.26 21:58, David Benjamin wrote:
- If you model ML-KEM as broken, then relying on ML-KEM does not work.
Do we actually have a precise definition of what "model ML-KEM as broken" entails? Formalizing that thoroughly seems non-trivial.
Do we have a precise understanding of the assumptions under which the properties would hold? Formalizing that thoroughly seems to require careful work.
This already seems to involve more work than 8773bis which was nothing but standard TLS with external PSK, and indeed went through FATT analysis.
Did FATT review produce something good for us for 8773bis? Yes. Did FATT review settle that matter? Yes.Given the precedent, it's not obvious why such a step would be inappropriate here.
Unless you're suggesting we block the hybrid draft publication on this work?
I don't understand how blocking the hybrid draft is relevant to ML-KEM discussion. That is not facing any opposition by WG members and is peacefully on its way to publication.
Rather, the debates here relate to trade-offs around how valuable the hybrid property is, what the costs are, whether the outcome of those trade-offs is universal, and what to do with the document given the state of affairs.
I don't think further discussion of these tradeoffs will lead to convergence.
[...] a lack of "authentic references" for competing concerns. These are not formal methods results,
There may be a misunderstanding here. I would like to clarify that formal analysis is Sec. 3.3.1 and cost is Sec. 3.3.2. The two are unrelated. I never claimed that I can find the costs by formal analysis.
Best regards, -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
