IETF Logo Mail Archive

[Last-Call] Re: [TLS] Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

"D. J. Bernstein" <djb@cr.yp.to> Tue, 02 June 2026 22:04 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7386EF9A45D7 for <last-call@mail2.ietf.org>; Tue, 2 Jun 2026 15:04:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780437861; bh=rFNM9SHtxuj+RSZ3n/caZBUEQIrnS9dlcBEX5Bciou4=; h=Date:From:To:Subject:In-Reply-To; b=WJWlfKnsTHxfLcJ6XFDScomBGFURFTCwrsrLYp5GcIQvKxnbKNoy1VzFndoM6vkfl 00/q2vNTJXGKiT1trGO1Tiiijzy5oB+rsfRocj5qV+ZWknuoSd9arh21CgLsY9I2dU blfi8S28y3P+3WzxescuwyrVjRIOUcABqcnuXdXU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsjzLlh1DYs2 for <last-call@mail2.ietf.org>; Tue, 2 Jun 2026 15:04:20 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id E53B7F9A4421 for <last-call@ietf.org>; Tue, 2 Jun 2026 15:04:06 -0700 (PDT)
Received: (qmail 911536 invoked by uid 1010); 2 Jun 2026 22:04:06 -0000
Received: from unknown (unknown) by unknown with QMTP; 2 Jun 2026 22:04:06 -0000
Received: (qmail 2292883 invoked by uid 1000); 2 Jun 2026 22:04:02 -0000
Date: Tue, 02 Jun 2026 22:04:02 -0000
Message-ID: <20260602220402.2292881.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org, last-call@ietf.org
Mail-Followup-To: tls@ietf.org, last-call@ietf.org
In-Reply-To: <CAEEbLAYUFWndaF8UL+=wV1c3Zv0jjZrdmB1T+40bcYphZYdLuw@mail.gmail.com>
Message-ID-Hash: 5J7GIDD7BJGBEHQZXUW6OK2TFHRX36YR
X-Message-ID-Hash: 5J7GIDD7BJGBEHQZXUW6OK2TFHRX36YR
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/0TJ297MxKhTJ4gonXr2H86xLi-8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

Sophie Schmieg writes:
> the described vulnerabilities are due to the usage of the Fiat-Shamir
> transform and are shared by all constructions that use the Fiat-Shamir
> transform as well as ECDSA

No. Some of them are, some of them aren't. Taking Ed25519 as a concrete
example: https://cr.yp.to/papers/mldsa-20260601.pdf#ecc-vs-pq already
reviews how various potential Ed25519 bugs have analogies for ML-DSA,
but it continues as follows: "Section 3 shows how easily bugs can appear
in various lines of ML-DSA code that don't seem to correspond to any
lines in Ed25519."

https://cr.yp.to/papers/mldsa-20260601.pdf#ecc-vs-pq also explains how
difficult it is to argue that ML-DSA bug rates in, say, 2027 will be as
low as Ed25519 bug rates in 2027: "The starting obstacle here is the
vulnerability-lifetime data from [49] and [2], where software
vulnerabilities often remain undetected for 5 or more years. ML-DSA is
suddenly adding many new lines of software. Ed25519 software has
typically been around for much longer, giving many more opportunities
for vulnerabilities to be discovered." The paper gives quantitative
estimates of these effects.

More to the point, the core argument against solo PQ is not that ECC is
less risky than solo PQ, but that ECC+PQ is less risky than solo PQ.
https://cr.yp.to/papers/mldsa-20260601.pdf#eccpq-vs-pq says "Here's the
basic point: even if one imagines the rate of ML-DSA vulnerabilities
somehow being as low as the rate of Ed25519 vulnerabilities,
Ed25519+ML-DSA usually forces the attacker to break ML-DSA _and_
Ed25519, which is less likely than being able to break just ML-DSA."

> ML-DSA is actually the most hardened version of
> this transform, using both entropy stored in the private key with the
> message as well as externally supplied entropy for computing its witness.

https://cr.yp.to/papers/mldsa-20260601.pdf#noncetest explains why this
makes it more likely for real-world libraries to skip known-answer tests
for signing---which in turn gives a free pass to many signing bugs, not
just nonce repetition.

> invent a fault at rhoprimeprime

Bug, not fault. https://cr.yp.to/papers/mldsa-20260601.pdf#nonceease
explains how easy this mistake is for an ML-DSA implementor to make. As
for "invent", this particular bug is just like the Sony PlayStation 3
ECDSA disaster.

> covered by test vectors

The question at hand is not whether your favorite library has tests
catching these bugs. The question is the security damage that would be
done by having TLS use solo ML-DSA rather than ECC+ML-DSA. That's a
question about many different libraries with haphazard collections of
tests. See https://cr.yp.to/papers/mldsa-20260601.pdf#coefftest.

---D. J. Bernstein


===== NOTICES =====

IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5
(normative), "Rights in Contributions", provides a modification right
"unless explicitly disallowed in the notices contained in a Contribution
(in the form specified by the Legend Instructions)".

The official language from IETF's "Legend Instructions" for the
situation that "the Contributor does not wish to allow modifications nor
to allow publication as an RFC" is as follows: "This document may not be
modified, and derivative works of it may not be created, and it may not
be published except as an Internet-Draft."
<https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf>

The same language is used in, e.g., RFC 5831. The same language hereby
applies to this document. This is not disclaiming or limiting the
applicability of IETF policies; it is strictly following IETF policies.

IESG claims that the "explicitly disallowed" provision in BCP 78 is
limited to the examples in Section 3 in BCP 78. That is incorrect. BCP
78 states that Section 5, "Rights in Contributions", is normative, while
Section 3, "Exposition of Why These Procedures Are the Way They Are", is
informative. The opt-out provision in the normative text is clear, and
cannot be limited by an informative section. BCP 78 does not give IESG
any authority to issue changes or purported clarifications of the rules.

Rationale for exercising the BCP 78 opt-out provision: I'm fine with
redistribution of copies of this document. The issue is instead with
modification, such as (1) IESG's May 2025 posting of an IESG-mangled
version of an appeal that I had filed and (2) IETF management selling
IETF mailing-list text to AI companies. This goes far beyond what
copyright law allows as fair use (such as giving quotes for purposes of
commentary). When I complained about the mangled document, the IETF
Executive Director responded not by apologizing but instead by asserting
that IETF management "has a license" to do anything it wants.

v2.46.0 | Report a Bug | By Email | System Status