IETF Logo Mail Archive

[Last-Call] Re: [TLS] Re: [EXT] Re: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

"D. J. Bernstein" <djb@cr.yp.to> Wed, 27 May 2026 12:21 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D0255F5E1937 for <last-call@mail2.ietf.org>; Wed, 27 May 2026 05:21:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779884479; bh=Qya70WJ4mNexskZ7C8qijs6JWY/IeWEOebvwu03t4FY=; h=Date:From:To:Subject:In-Reply-To; b=wKlDSqFUdQDZ/45erqRTS1mXHVuGN5OYEoLDc4WMXrZ9y59jK+a3msfWz6pBGahgU WphmcKSqf1z9LmgiCO7c2roYmSPSQ7p3cHI3EXD8J7Ke/PHR/oyVjnjTRSnCaq36rb TnBxGW78r/OJse2kn2yh3WKt5kvZZAnXuWd0hb8k=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRNLlpWpl9hc for <last-call@mail2.ietf.org>; Wed, 27 May 2026 05:21:19 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 2B0FCF5E1922 for <last-call@ietf.org>; Wed, 27 May 2026 05:21:15 -0700 (PDT)
Received: (qmail 683561 invoked by uid 1010); 27 May 2026 12:21:09 -0000
Received: from unknown (unknown) by unknown with QMTP; 27 May 2026 12:21:09 -0000
Received: (qmail 1840369 invoked by uid 1000); 27 May 2026 12:20:59 -0000
Date: Wed, 27 May 2026 12:20:59 -0000
Message-ID: <20260527122059.1840367.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org, last-call@ietf.org
Mail-Followup-To: tls@ietf.org, last-call@ietf.org
In-Reply-To: <9f7101f7-73f7-4dbb-8349-a76c12b16483@kavula.fi>
Message-ID-Hash: DNIK3VI47FOZ4C5FN2Y6VFP4JLSQSJ7B
X-Message-ID-Hash: DNIK3VI47FOZ4C5FN2Y6VFP4JLSQSJ7B
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Re: [EXT] Re: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/iAJnFXRSSjBjn1TbEYNNygUsexM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

Marc Penninga writes:
> Hybrid key exchanges also require both *keys* to be independent, and
> the combiner function to be theoretically sound, and the combiner
> function to be implemented correctly.

A few lines of combiner code for key exchange or for signatures can
certainly have bugs, just like other lines of code. Maybe someone will
find an example someday where a combiner bug slipped past testing _and_
made ECC+PQ easier than PQ to break in TLS.

But it makes absolutely no sense to worry more about this than about the
risk of devastating bugs in a much larger volume of code for ML-KEM and
ML-DSA. See https://cr.yp.to/papers.html#pqcomplexity for size metrics
for ML-KEM reference code (never mind the extra complications of code
aiming for higher speed). ML-DSA code is even larger than ML-KEM code.

https://blog.cr.yp.to/20240102-hybrid.html#morecomplicated already
explained this. See in particular the comments on the possibility of a
"devastating bug in the lines of code for the hybrid hash" vs. "the risk
of an exploit of a post-quantum implementation". Those comments cited
KyberSlash as a then-recent example of a demonstrated PQ vulnerability.

Of course, PQ security failures aren't just software failures. SIKE, for
example, was applied to tens of millions of TLS user sessions as part of
CECPQ2b. The only reason that the SIKE break didn't immediately violate
the confidentiality of all of this user data is that CECPQ2b also had an
ECC layer. And then there's https://cr.yp.to/papers.html#qrcsp surveying
breaks of 48% of the 69 post-quantum proposals in the NIST competition,
often with very fast attacks.

> All of which I have seen go wrong in real-world code.

How about giving some URLs and summaries of the supposed impact, so that
readers can compare what you're talking about to the neverending parade
of verifiable public examples of PQ security disasters?

John Mattsson writes:
> Poorly designed hybrids can actually be easier to attack than any of
> their constituent components individually. One example is [1], which
> inherits the malleability weakness of ECDSA
  [ etc. ]

When you use the word "weakness", are you claiming something that
reduces TLS security? Or even _potentially_ reduces TLS security? (Did I
miss some effort to ban ECDSA from TLS on this basis?)

How do you reconcile this claim with https://eprint.iacr.org/2020/1029
having theorems saying that all TLS needs from a signature system is the
standard "EUF-CMA" property, i.e., the inability of attackers to forge
signatures on new messages?

Simply concatenating a fixed-length ECC signature with a PQ signature,
and verifying both, is a safe way to handle ECC+PQ for any protocol
whose security relies purely on EUF-CMA. The attacker can't forge a
concatenated signature on a new message without forging the ECC
signature on that message _and_ the PQ signature on that message.

As I've commented elsewhere, it's possible to spend endless time
discussing other options for a few lines of code for the combiner. For
example, https://pqcrypto.eu.org/deliverables/d2.5.pdf#subsection.3.3
recommends an alternative of using the second signature system to sign
the first signed message. Mothma has very slight extra complications,
which I believe are justified by the protection against various weird
things that protocols might do. But please don't mislead people into
thinking that any of these extra protections matter for TLS.

---D. J. Bernstein


===== NOTICES =====

IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5
(normative), "Rights in Contributions", provides a modification right
"unless explicitly disallowed in the notices contained in a Contribution
(in the form specified by the Legend Instructions)".

The official language from IETF's "Legend Instructions" for the
situation that "the Contributor does not wish to allow modifications nor
to allow publication as an RFC" is as follows: "This document may not be
modified, and derivative works of it may not be created, and it may not
be published except as an Internet-Draft."
<https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf>

The same language is used in, e.g., RFC 5831. The same language hereby
applies to this document. This is not disclaiming or limiting the
applicability of IETF policies; it is strictly following IETF policies.

Rationale: I'm fine with redistribution of copies of this document. The
issue is with modification, such as (1) IESG's May 2025 posting of an
IESG-mangled version of an appeal that I had filed and (2) IETF
management selling IETF mailing-list text to AI companies.

v2.46.0 | Report a Bug | By Email | System Status