IETF Logo Mail Archive

[Last-Call] Re: [TLS] Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

"D. J. Bernstein" <djb@cr.yp.to> Thu, 04 June 2026 20:04 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8775AFB32E6B for <last-call@mail2.ietf.org>; Thu, 4 Jun 2026 13:04:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780603495; bh=xEX5k+nzew3Xs1VuEZrQAQVKp3bVpRVGLjQvZddeFOg=; h=Date:From:To:Subject:In-Reply-To; b=xBwXGL945lmzI+dr7E49sribBxgbsWeJ03xdU0yqyXtxWknrlV29yFrxC9n4kr02v +CuBrVgUKK4SjWAYyUO6iezp7sq4j1jOqMVbSPg0hkRhepNXL0eB7woGW/lJTb+e+X IhlM00ElNybGkja0ZQ6yLRfqIVAG8f9VRoBWWyrU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMrydrXv1RCD for <last-call@mail2.ietf.org>; Thu, 4 Jun 2026 13:04:55 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 0D3BCFB32E5E for <last-call@ietf.org>; Thu, 4 Jun 2026 13:04:55 -0700 (PDT)
Received: (qmail 1001242 invoked by uid 1010); 4 Jun 2026 20:04:54 -0000
Received: from unknown (unknown) by unknown with QMTP; 4 Jun 2026 20:04:54 -0000
Received: (qmail 2431041 invoked by uid 1000); 4 Jun 2026 20:04:55 -0000
Date: Thu, 04 Jun 2026 20:04:55 -0000
Message-ID: <20260604200455.2431039.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, tls@ietf.org, last-call@ietf.org
Mail-Followup-To: tls@ietf.org, last-call@ietf.org
In-Reply-To: <6cbe67aa-c3a2-4d4d-98dc-f4d14c544676@cs.tcd.ie>
Message-ID-Hash: BIC4R7HQXZQWKADOF62WNHZ2MCTYDAO6
X-Message-ID-Hash: BIC4R7HQXZQWKADOF62WNHZ2MCTYDAO6
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/_2HGk2y29OuAqd9kRB0Baa8VHuw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

Stephen Farrell writes:
> D. J. Bernstein wrote:
> > IETF does not control software engineering. It_does_ control which TLS
> > options it will endorse. At that layer, there are currently two choices:
> > (1) common-sense ECC+PQ; (2) damaging security with solo PQ.
> I disagree. There's also: (3) experiment with PQ authentication in TLS
> while recommending against production deployment at this time.

Sure, one can consider any combination of answers to the following
questions:

    (A) What to deploy?
    (B) When to deploy it?

Considering combinations can be useful for seeing whether are
interactions between those two questions.

Regarding those combinations: The main graph

    https://cr.yp.to/papers/mldsa-20260601.pdf#breakable-keys

in my paper already addresses the question of what the attacker will be
able to break in future years, as does Section 1: "The main conclusion
is that far fewer Ed25519+ML-DSA keys will be breakable than ML-DSA
keys, not just before the first quantum attack but also continuing for
years after the first quantum attack. This conclusion is robust against
uncertainties in the underlying numbers, such as bug rates."

For example, deployment starting in 2028 or 2030 or 2032 will have far
fewer breakable keys if the choice is Ed25519+ML-DSA than if the choice
is solo ML-DSA, even assuming secret quantum attacks start in 2029. In
other words, solo ML-DSA is a security disaster whether we're talking
about now or years from now.

As for the question of whether Ed25519+ML-DSA or just _Ed25519_ is
safer, https://cr.yp.to/papers/mldsa-20260601.pdf#eccpq-vs-ecc explains
why this one is a close comparison, _not_ robust against changes in the
underlying numbers.

Why isn't Ed25519+ML-DSA automatically at least as safe as Ed25519?
Consider the fact that the current panic to deploy new ML-DSA software
could easily produce an exploitable buffer overflow. There are certainly
variable array indices in ML-DSA code: see, e.g.,

    https://github.com/cryspen/libcrux/commit/4eb8d4074be4b4c9eca2c40e33eae11534d43bfa

fixing a bad bounds check on a variable-index array access. The 2026/192
description of the bad bounds check as a vulnerability stops with some
irrelevant-to-TLS issues such as signature malleability---giving readers
the impression that there aren't more serious issues such as leaking
secret data from RAM after the signature, but I haven't seen anyone
giving a clear, detailed analysis of that. Anyway, my paper describes
broader reasons that it's hard to compare this type of risk to the
quantum risk.

---D. J. Bernstein


===== NOTICES =====

IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5
(normative), "Rights in Contributions", provides a modification right
"unless explicitly disallowed in the notices contained in a Contribution
(in the form specified by the Legend Instructions)".

The official language from IETF's "Legend Instructions" for the
situation that "the Contributor does not wish to allow modifications nor
to allow publication as an RFC" is as follows: "This document may not be
modified, and derivative works of it may not be created, and it may not
be published except as an Internet-Draft."
<https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf>

The same language is used in, e.g., RFC 5831. The same language hereby
applies to this document. This is not disclaiming or limiting the
applicability of IETF policies; it is strictly following IETF policies.

IESG claims that the "explicitly disallowed" provision in BCP 78 is
limited to the examples in Section 3 in BCP 78. That is incorrect. BCP
78 states that Section 5, "Rights in Contributions", is normative, while
Section 3, "Exposition of Why These Procedures Are the Way They Are", is
informative. The opt-out provision in the normative text is clear, and
cannot be limited by an informative section. BCP 78 does not give IESG
any authority to issue changes or purported clarifications of the rules.

Rationale for exercising the BCP 78 opt-out provision: I'm fine with
redistribution of copies of this document. The issue is instead with
modification, such as (1) IESG's May 2025 posting of an IESG-mangled
version of an appeal that I had filed and (2) IETF management selling
IETF mailing-list text to AI companies. This goes far beyond what
copyright law allows as fair use (such as giving quotes for purposes of
commentary). When I complained about the mangled document, the IETF
Executive Director responded not by apologizing but instead by asserting
that IETF management "has a license" to do anything it wants.

v2.46.0 | Report a Bug | By Email | System Status