]> TU Dresden, Germany

muhammad_usama.sardar@tu-dresden.de

Security Transport Layer Security The draft presents symbolic and computational analysis of hybrid key exchange and standalone ML-KEM. In our observation, we believe that hybrid key exchange is preferable over standalone ML-KEM until a powerful CRQC exists which breaks all the bits of pre-quantum. This draft also offers opinions of the IETF participants and some preliminary discussion to help the developers and policymakers make informed choices. Finally, it offers minimal implementation guidance for hybrids. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Readers are assumed to be familiar with , , and . Please note that the draft has currently several hyperlinks.

Objectives The draft serves three objectives:

• Summary of formal methods (symbolic and computational) works for hybrid key exchange and standalone ML-KEM
• Capturing the opinions of the IETF participants to avoid repetition
• Minimal implementation guidance for hybrids

Summary of Formal Methods Works The draft covers the formal methods for the security considerations of . This includes symbolic and computational analysis (to be interpreted as in SoK) of integration of standalone ML-KEM in the context of TLS. Specifically, it covers the formal analysis in ProVerif on the potential issue of asymmetry. The analysis confirms that asymmetry is not a problem.

Capturing the Opinions of IETF The draft also aims to reduce the endless repetition of arguments from both sides presented on several lists by documenting these arguments so they can simply be referred to. This draft captures what we understand them to be saying. The goal is that people can be a bit more fair and balanced to acknowledge others' opinions, rather than stating their opinion as universal truth, or else present substantial scientific evidence if they claim their opinion to be universal truth. In our understanding, the question largely boils down to: whether the traditional or post-quantum cryptographic primitive breaks first?

Minimal Implementation Guidance for Hybrids The implementation concern is not only whether ML-KEM is secure as a primitive, but whether a TLS deployment can show that both hybrid components were validated, transcript-bound, and fail-closed under the negotiated group.

Motivation requires to document the risks in the security considerations. To support those requirements for , this draft aims to formally study the security of standalone ML-KEM in TLS 1.3.

Intuition Leaking out the ECDHE key from hybrid key exchange should downgrade the security to the level of a standalone ML-KEM. Therefore, hybrid key exchange is in general more secure, unless:

• ECDHE is fully broken, in which case it still falls equivalent to standalone ML-KEM,
• in the hypothetical scenario that there is an implementation bug in the ECDHE part which is triggered only in composition. We have not yet seen any concrete evidence of such a scenario on the list.

We believe that in general:

Expected Learning We believe formal methods can provide additional value for security considerations of this draft in order to maintain the high cryptographic assurance of TLS. Adversary can record all traffic and decrypt it when ML-KEM is broken. The opinions of WG participants here vary from "ML-KEM is secure" to "ML-KEM is probably already secrectly broken." Formal methods can operate under the assumption that ML-KEM is secure, and focus on the integration of ML-KEM in TLS under this assumption.

• As an example, formal methods can help justify design choices, such as the preference for hybrid key exchanges. It can also help identify all the assumptions under which the properties hold.
• As a relevant data point in the context of standardization, LAKE WG has done formal analysis for EDHOC-PSK with KEM (ref).
• Computational analysis (cf. SoK) -- using tools such as CryptoVerif -- seems like a reasonable approach to ensure security of ML-KEM in TLS, such as binding shared secret ss to the TLS transcript hash.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

• Symbolic analysis: see SoK
• Computational analysis: see SoK
• Standalone ML-KEM refers to .
• Hybrid key exchange refers to and .

We believe that symbolic and computational models are complementary and not a substitute of each other.

Key Exchange and Key Encapsulation In traditional key exchange (DHKE), both endpoints send their public key shares g^x and g^y to derive a shared secret g^xy. In key encapsulation, there is essentially only one endpoint (say client) which generates the key pair (dk,ek) where dk represents the secret decapsulation key and ek represents the public encapsulation key. In a KEM, only one of the endpoints (client in above example) sends the public encapsulation key ek and the peer (server) sends a ciphertext ct.

Computational Analysis

Hybrids Technically, a proof of is done in the computational model using CryptoVerif (cf. ref). As per list discussion, it appears that the proof applies to the latest version of the spec , as there seem to be no substantive changes from the perspective of formal proof.

Standalone ML-KEM Some existing computational analysis for standalone ML-KEM in TLS include this and this. Both are based on pen-and-paper (computational) proofs. At the symbolic level, some analysis -- such as this for KEMTLS in Tamarin -- exists. In our understanding, both client and server encapsulate, which may bring the symmetry.

Symbolic Analysis For brevity, we omit other assumptions in the properties below and focus on the difference. This assumes hybrid constructor to be secure.

Minimum Viable Modeling Based on the discussion on list, simply replacing ideal DHKE by ideal ML-KEM in the formal model is not very useful. We ought to focus on the more security-critical questions about integration of ML-KEM in TLS. We present a few high-level observations to consider for security considerations of :

• The model ought to consider that any agent could have initiated the TLS, rather than assigning the agents with static roles of client and server in the model. When agents are assigned non-static roles, it would be interesting to see whether the asymmetry issue becomes visible in some property. We consider it very critical for security considerations of and this is the key point of this draft.
• Different failure modes proposed on list can be modeled.
• A large part of the problem is the careful investigation of what to model, under what threat model, under what system model, under what implementation scenarios etc. We believe some of this is important for security considerations of .
• It will be interesting to see some analysis about any subtle cases where hybrid key exchange in TLS is not at least as good as standalone ML-KEM in TLS. Our understanding is that some participants would like to see some statement on the comparison since hybrid key exchange is the de facto industry standard.
• We believe brainstorming about some robustness (vs. security) properties would also be useful. Even if the security properties hold, does standalone ML-KEM make side-channel leakage easier? This might be a valuable consideration for the implementers.
• Analysis may be helpful to ensure that the changes -- such as the removal of hash function (cf. Appendix C.1, bullet 3 in ) -- from Kyber to ML-KEM preserve the security proofs of Kyber.

Any analysis on these or related security and robustness matters is very welcome.

Hybrid Key Exchange Hybrid key exchange still maintains the DHKE part. From formal (symbolic) analysis perspective, g^x and g^y are still sent in hybrid key exchange, g^xy is still computed and we believe the commutativity property is applicable for that part as-is. From formal (symbolic) analysis perspective, ML-KEM is complementary to that. Specifically, from , for the symbolic analysis, X25519MLKEM768 in TLS may be viewed as: Formally, the property hybrid key exchange provides is: As presented in , hybrid key exchange preserves ECDHE component gxy, and concatenates ML-KEM component ss as an additional factor. So as long as at least one of these two secrets is not available to the adversary, all security properties should hold. In particular, even if ML-KEM is completely broken, i.e., ss is available to the adversary, the protocol retains the security level of ECDHE.

Standalone ML-KEM On the other hand, the formal property standalone ML-KEM provides is:

Results For the FATT process , the symbolic analysis was done in ProVerif by Nadim Kobeissi, who concludes: Results confirm integration of KEM in TLS is secure as long as the primitive itself is secure. In our understanding, results also imply a clear preference for hybrids under the Dolev-Yao model, in the sense that if the shared secret from ML-KEM becomes available to the adversary (for example, due to implementation bug), both confidentiality and authentication are broken in standalone ML-KEM, whereas under same condition, both confidentiality and authentication still hold as long as (EC)DHE is still not available to the adversary. We believe this applies until a powerful CRQC exists which breaks all the bits of pre-quantum, where the condition of (EC)DHE being available to the adversary is violated. The artifacts are available here for independent review.

Implementation-Facing Negative Cases The formal analysis above is not an implementation test suite and does not replace protocol conformance testing. However, a short set of negative cases can help implementers check that the intended hybrid binding property is reflected in their APIs, transcript handling, and key schedule integration. In particular, implementations of hybrid key exchange ought to reject, or fail safely on, cases such as the following:

• malformed or missing shares: The negotiated group is a hybrid group, but one component of the peer key share is missing, malformed, or associated with a different group.
• mixed transcript context: The ECDHE and KEM values are individually well-formed, but assembled from different handshakes, transcript contexts, or negotiated groups.
• fallback after hybrid negotiation: A peer attempts to continue the handshake as standalone ECDHE or standalone ML-KEM after a hybrid group was negotiated.
• premature secret derivation: Application traffic secrets are derived before both hybrid components have been validated and accepted under the negotiated group.
• API/logging ambiguity: Exported state, logs, traces, or implementation APIs make a hybrid exchange appear as if only one component was used or accepted.

These cases are not intended to create a new formal proof obligation. They are implementation-facing checks that help bridge the formal "both components are bound and accepted" property to concrete failure modes that implementations can accidentally mishandle.

Argument Matrix for Implementation Review The discussion above can be read as an argument matrix for implementers and reviewers. The point is not to resolve every policy preference in this document, but to make each recurring argument map to a concrete review question.

Argument	Implementation-facing review question	Why it matters
Hybrid key exchange retains two components.	Does the implementation make it clear that both the ECDHE and ML-KEM components were present, validated, and bound to the same negotiated group and transcript?	Otherwise a successful handshake may not actually reflect the formal "both components are bound and accepted" property.
Standalone ML-KEM has a single KEM shared secret.	Are failures in encapsulation, decapsulation, transcript binding, and key-schedule input handled as fail-closed errors rather than as retry or fallback paths?	A standalone construction has no second key-exchange component to preserve confidentiality if the ML-KEM path is mishandled.
Hybrid fallback is useful only when it is explicit.	After a hybrid group is negotiated, can either endpoint silently continue as standalone ECDHE or standalone ML-KEM?	Silent continuation changes the negotiated security property and makes interop failures hard to distinguish from downgrades.
Cost claims are deployment-dependent.	Are claimed savings measured separately for wire bytes, CPU, memory, latency, code complexity, and operational rollout?	Treating "cost" as a single value can hide whether a deployment is trading away cryptographic robustness for a negligible or unmeasured gain.
Formal models do not cover every implementation interface.	Do APIs, logs, exported state, and test harnesses expose enough detail to show which component failed or succeeded?	Reviewers need observable evidence that the implementation behavior matches the protocol-level claim.

This matrix is deliberately small. It is intended to help a reviewer decide whether a concrete implementation or deployment argument belongs in the formal-methods discussion, in implementation guidance, or in a separate operational cost analysis.

Issues That Formal Methods Probably Cannot Solve The answers to the following issues are largely dependent on several factors, and the opinions vary largely. It is necessary to mention that even several respectable cryptographers in the community are not aligned on the issue -- for example see the long bet. Hence, our personal opinion is probably not that important. Probably the best we can do is to capture our understanding of the views of WG participants.

Which breaks first: ML-KEM-768 or X25519? In our understanding, the key open question boils down to:

Does CRQC Break All Bits of Pre-quantum? Some participants believe that CRQC will break all bits of pre-quantum cryptographic, while some others believe that it will break only a few bits.

Policy/Regulations Some countries have a regulatory preference for hybrid key exchange.

Recommendation of Designers The authors of Kyber/ML-KEM (see this) say: A WG participant shares that:

Thorough Review Please see a very thorough review here, which is self-sufficient.

'Significantly Harder' Argument Some participants believe in the 'significantly harder' argument, which assumes independence of breakage of ML-KEM and traditionals: Please see this for what "broken" may mean here modulo some exclusions. Given the very different type of cryptographic constructions involved, independence might be a reasonable assumption. However, some participants disagree with 'significantly harder' argument with a reasonable counter-argument that in reality, cryptography is much more complicated than that (cf. this): In our understanding, most other counter-arguments seem to break the exclusions. Please note that this argument is based on the security of primitives, rather than the composition of primitives in protocols. Hence, formal methods probably have nothing to help here.

Urgency It is unclear whether and if applicable when Cryptographically-Relevant Quantum Computer (CRQC) will eventually become practical. The opinions vary from never because of complicated physics (see this) to be prepared for it as early as 2029 (see Google 2029 and Cloudflare 2029). Technically, please note that Google has not even released the quantum circuit underlying their recent claims -- apparently the reason for this urgency. So Google's claims may not yet be justified. Moreover, in our understanding, these deadlines are for PQ-based protection in general regardless of hybrid key exchange or standalone KEMs in TLS. Since hybrid key exchange is wildly in use, these deadlines are mainly for quantum-safe authentication. In any case, some participants see no reason to create panic for publication of based on this because many implementations -- such as OpenSSL -- have already implemented standalone ML-KEM, and it is just a matter of enabling it. And frankly, nobody needs permission from the IETF to enable it.

"Cost" "Cost" has been presented on the list as the motivation for standalone ML-KEM in TLS but we have not seen any supporting analysis. Our observation from is that -- for example -- for X25519MLKEM768, the traditional part seems negligible compared to ML-KEM part in key_exchange:

Bytes in field	PQ part (ML-KEM)	Traditional part (X25519)
Client share	1184	32
Server share	1088	32

We believe other "costs" will depend on several factors -- including but not limited to implementation details and deployment scenario -- and it is quite subjective. There seems to be a need for a thorough study to understand the "cost." We invite the WG participants to perform cost analysis and share the results with the WG.

Is Publication Necessary? Code Points for ML-KEM have already been assigned. provides detailed rationale as to why publication of such documents and the debates around that may be unnecessary. In our understanding, makes similar arguments.

Shiny New Crypto ML-KEM is quite new in the IETF and even in the IRTF. Some WG participants have shown concern over premature publication of until a detailed analysis has been done by CFRG. CFRG is starting some efforts for analysis. The extended deadline for submission is 22.06. Please see the latest CFRG chairs email for further details.

Formal Mapping of FIPS to IETF BCP14 As discussed on the TLS list, we are not aware of any formal mapping of the FIPS recommendations to the IETF BCP14 terminology, such as SHOULD vs. MUST. In general, we believe re-using FIPS recommendations is ambiguous for IETF readers.

Outstanding NIST Comments Some participants believe that NIST has rushed through the process and not addressed all the comments that were submitted during the open review. Please see comments here.

Too Early Some participants simply believe that publication of and related discussions are just too early and unnecessary.

Patents Some WG participants have raised some concerns related to patents. See some relevant patents here.

Implementation Bugs Some participants are worried about the implementations bugs. Some use it as advocacy for the use of hybrids that if one could exploit one of the two primitives, the other one can save.

Depth of Hybrids? Some participants have questioned the ML-KEM + ECC hybrids rather than, say, Module Lattices + McEliece + hash-based three-way composites.

Security Considerations The whole document is about improving security considerations. Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Technically, formal proof only guarantees anything if all the assumptions hold, which is unlikely in practice. Formal methods should be used as complementary and not as substitute of other analysis methods.

IANA Considerations This document has no IANA actions.

References Normative References National Institute of Standards and Technology (U.S.) SandboxAQ This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as NamedGroups and and registers IANA values in the TLS Supported Groups registry for use in TLS 1.3 to achieve post-quantum (PQ) key establishment. Independent This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes RFCs 5077, 5246, 6961, 8422, and 8446. This document also specifies new requirements for TLS 1.2 implementations. IETF TLS WG In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References TU Dresden This document applies only to non-trivial extensions of TLS, which require formal analysis. It proposes the authors specify a threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft. We also briefly present a few pain points of the team doing the formal analysis which -- we believe -- require refining the process: * Provide protection against FATT-bypass by other TLS-related WGs * Contacting FATT * ML-KEM * Understanding the opposing goals * Response within reasonable time frame Aiven This document describes the current practices for handling new cryptography within the IETF. Some of these practices are informal and depend on individuals in certain relevant roles, such as Working Group Chairs, the Security Area Directors and the Independent Stream Editor. This document is intended to increase consistency and transparency in how the IETF handles new cryptography, such as new algorithms, ciphers and new primitives or combiners, by providing a reference for the cryptographic practices within the IETF. This document does not describe any new policies and does not prohibit exceptions in the described current practices. Cisco People keep pitching drafts to the TLS Working Group where the only thing the draft does is register a code point for a cryptographic algorithm. Stop doing that. It's unnecessary. Write an email to IANA instead. All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. PQShield AWS Cloudflare University of Waterloo This draft defines three hybrid key agreement mechanisms for TLS 1.3 - X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that combine the post-quantum ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie- Hellman) exchange. University of Waterloo Cisco Systems University of Haifa Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. University of Waterloo Cisco Systems University of Haifa and Meta Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all but one of the component algorithms. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Symbolic Software

Contributors Nadim Kobeissi performed a thorough formal analysis at high priority based on our call for analysis in previous versions of the draft to get a confirmation. Text in was proposed by Songbo Bu. Text in is based on the proposal by John Preuß Mattsson. is largely based on the opinions of many IETF participants. We gratefully thank Yaakov Stein and Ilari Liusvaara for their substantial technical guidance, valuable feedback, and contributions.

Acknowledgments We thank Eric Rescorla, Brian E. Carpenter, and Tibor Jager for their valuable feedback. We acknowledge several IETF participants who have contributed to this draft with their insights. The research work is funded by German Research Foundation ("Deutsche Forschungsgemeinschaft.")

History -00

• On popular demand, moved from to an independent I-D
• Major change: added
• Some minor clarifications

-01

• Added justification based on FATT process
• Reorganization, specially in motivation
• Added some common arguments:
• Comparison with hybrid key exchange

-02

• Added gap analysis
• What to model and analyze?
• Added FATT review is harmless
• Extended comparison with hybrid key exchange
• Opinion of designers

-03

• Completely restructured and reframed after confirmation by formal analysis
• Added implementation-facing negative cases and argument matrix
• Some new arguments: implementation bugs, depth of hybrids, policy, all bits, which primitive breaks first?