IETF Logo Mail Archive

[Last-Call] Re: [TLS] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

"D. J. Bernstein" <djb@cr.yp.to> Mon, 01 June 2026 20:42 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3660BF8E0EF8 for <last-call@mail2.ietf.org>; Mon, 1 Jun 2026 13:42:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780346575; bh=vGJWayAhqUi+uE0kg4CTV2JyD+kZRpAVrxJQHzYC9HQ=; h=Date:From:To:Subject:In-Reply-To; b=qE5GI8LyQ9PpMOmGbOKZR3th0qjEx2qsNozqs/LFuHSf3CB96CCLiiGdTaWrIeVDf BDGLYkxECQcIu2tiW/VvK+aJ6+/WK4LfqHWIvPDCZXBUIUBEE5DGcx00Q/yVEaT1ZX Q0vjAyUVf+wOYbuUV4b/mxTepCxSlo9CGoIxJjn8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJb9TBYkcLgN for <last-call@mail2.ietf.org>; Mon, 1 Jun 2026 13:42:54 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 9930BF8E0EEA for <last-call@ietf.org>; Mon, 1 Jun 2026 13:42:54 -0700 (PDT)
Received: (qmail 875688 invoked by uid 1010); 1 Jun 2026 20:42:48 -0000
Received: from unknown (unknown) by unknown with QMTP; 1 Jun 2026 20:42:48 -0000
Received: (qmail 2216940 invoked by uid 1000); 1 Jun 2026 20:42:45 -0000
Date: Mon, 01 Jun 2026 20:42:45 -0000
Message-ID: <20260601204245.2216938.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org, last-call@ietf.org
Mail-Followup-To: tls@ietf.org, last-call@ietf.org
In-Reply-To: <177911881651.554519.6124006444783847072@dt-datatracker-7688897f84-l74h4>
Message-ID-Hash: X2J47XYBHW6RP3MQM4ND6AJZ43KJKVIN
X-Message-ID-Hash: X2J47XYBHW6RP3MQM4ND6AJZ43KJKVIN
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/qkv-XQvsyG57wpw5OLqpdfZQnRg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

I've just finished a paper titled "Exploiting ML-DSA bugs":

    https://cr.yp.to/papers.html#mldsa

Let me gently suggest that IESG extend the current "last call" and ask
the TLS WG chairs to stop censoring my messages to the TLS mailing list.

The abstract of the paper is as follows:

    At least four Dilithium software vulnerabilities have been announced
    so far, including an identical vulnerability in each of the two
    official Dilithium 1.0 implementations and two different
    vulnerabilities in a "verified" implementation of Dilithium 3.4,
    also known as ML-DSA. However, there do not appear to have been any
    demos showing exploitability of any of these vulnerabilities.

    This paper shows that a small change in ML-DSA software creates an
    ML-DSA version of the Dilithium 1.0 software vulnerability, can
    occur by accident as in the original vulnerability, interoperates
    with authentic ML-DSA, passes typical tests, and is exploitable in 1
    second on 1 laptop core. This paper provides an open-source attack
    demo that inspects a public key and two signatures, obtains an
    equivalent secret key, and uses this key to rapidly forge signatures
    on attacker-chosen messages.

    This paper also shows that another small change in ML-DSA software
    creates a different software vulnerability, can occur by accident as
    in the Sony PlayStation 3 ECDSA vulnerability, interoperates with
    authentic ML-DSA, passes typical tests, and is exploitable in 1
    second on 1 laptop core. This paper again provides an open-source
    attack demo that rapidly forges signatures on attacker-chosen
    messages, after inspecting a public key and a few signatures.

    This paper then uses standard techniques to estimate exploitability
    rates for ML-DSA software, and to estimate the number of ML-DSA keys
    that the attacker will be able to break in year Y, as a function of Y.

    This paper also reviews evidence in the literature regarding quantum
    timelines, costs of quantum attacks, and non-quantum security
    failures in ECC, so as to estimate the number of Ed25519+ML-DSA
    double-signing keys that the attacker will be able to break in year
    Y. The main conclusion is that, even years after the first quantum
    attack, this number will still be much smaller than the number of
    breakable ML-DSA keys.

    Qualitative security benefits of ECC+PQ compared to solo PQ have
    been pointed out before, but not with quantified estimates of the
    number of breakable keys. Some recent postings gave arguments
    disputing these benefits; this paper closes by pointing out flaws in
    those arguments.

---D. J. Bernstein


===== NOTICES =====

IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5
(normative), "Rights in Contributions", provides a modification right
"unless explicitly disallowed in the notices contained in a Contribution
(in the form specified by the Legend Instructions)".

The official language from IETF's "Legend Instructions" for the
situation that "the Contributor does not wish to allow modifications nor
to allow publication as an RFC" is as follows: "This document may not be
modified, and derivative works of it may not be created, and it may not
be published except as an Internet-Draft."
<https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf>

The same language is used in, e.g., RFC 5831. The same language hereby
applies to this document. This is not disclaiming or limiting the
applicability of IETF policies; it is strictly following IETF policies.

IESG claims that the "explicitly disallowed" provision in BCP 78 is
limited to the examples in Section 3 in BCP 78. That is incorrect. BCP
78 states that Section 5, "Rights in Contributions", is normative, while
Section 3, "Exposition of Why These Procedures Are the Way They Are", is
informative. The opt-out provision in the normative is clear, and cannot
be limited by an informative section. BCP 78 also does not give IESG any
authority to issue changes or purported clarifications of the rules.

Rationale for exercising the BCP 78 opt-out provision: I'm fine with
redistribution of copies of this document. The issue is instead with
modification, such as (1) IESG's May 2025 posting of an IESG-mangled
version of an appeal that I had filed and (2) IETF management selling
IETF mailing-list text to AI companies. There's no legitimate excuse for
that, and it goes far beyond what copyright law allows as fair use, such
as giving quotes for purposes of commentary.

v2.46.0 | Report a Bug | By Email | System Status