This tactic is explicitly called out in RFC 7282, and named as a "degenerate", "pathological", and "dysfunctional" state for the working group to be in. Shame on DJB for attempting to drive the working group into terminal dysfunction.
There are already codepoints assigned for MLKEM 512/768/1024 (0x0200, 0x0201, 0x0202) and nearly every major library supports it already:
- OpenSSL (ML-KEM-512/768/1024)
- BoringSSL (ML-KEM-1024)
- NSS (ML-KEM-1024)
- AWS-LC (ML-KEM-512/768/1024)
- Rustls (ML-KEM-768/1024)
- s2n-tls (ML-KEM-1024)
- Bouncy Castle (ML-KEM-512/768/1024)
- Botan (ML-KEM-512/768/1024)
- GnuTLS (ML-KEM-768/1024)
- WolfSSL (ML-KEM-512/768/1024)https://en.wikipedia.org/wiki/Kuznyechik#Cryptanalysis
(the work by Perrin that is mentioned is what I'm referring to).
The (pure) mlkem standard is also marked "recommended to implement = No". people are interested in implementing it. The IETF can't change that. They can try to ensure such implementations are interoperable though.
https://blog.cr.yp.to/20220805-nsa.html
> Some people seem to be unable to rationally consider the possibility that NSA is sabotaging post-quantum cryptography. I've heard people saying, for example, that submissions to the NIST Post-Quantum Cryptography Standardization Project (NISTPQC) were publicly designed and evaluated by top experts, and that NSA can't have bribed the submission teams. > > Let's look at the facts.
Note that the authors of ML-KEM are overwhelming European.
So all the companies who want to sell anything using TLS to the government want to standardize this, so they can be CNSA2 compliant.
Everyone already supports this in major libraries; but some folks feel they need an IETF RFC specifying it.
(I don't have to comply with CNSA2 so I might have details slightly off)
The linked piece is not representative of the broader cryptography community. ML-KEM is fine.
That’s pretty weak just stripping down the hybrid approach.
This is about a separate RFC with "recommended to implement = no".
If the IETF was trying to have these positions swapped, it would be consistent with DJBs post. It is not though. His post does not seem to be grounded in reality.
The latest post to the list, as of this post, is supporting the anti-ecdhe side, with the reasoning being that there is no code written for ecdhe, which is obviously stretching the truth beyond reasonable doubt.
Maybe giving this thread more visibility here than it wants but ...
https://bsky.app/profile/filippo.abyssdomain.expert/post/3mp...
(Personally it seems so so unacceptable to me to accuse so many good hardworking people of such bitter conspiracy.)