>My guess is that only https://github.com/tlswg/tls-mldsa/pull/36 will have WG
>support.
- The idea that the server can use the client random to protect against
side-channel attacks is obviously wrong.
- The server random and the ML-DSA rnd value might be generated by completely
different random number generators with different quality. It is not clear that
the ML-DSA rnd can be replaced by server random.
- The server random and the ML-DSA rnd value are used in different parts of the
input and could affect side-channel behavior in different ways.
This PR should not be merged in its current form. It makes very strong
statements ("do not apply") with little motivation. I think more analysis would
be needed even to support weaker statements. I do not think the draft should,
or needs to, say anything about deterministic versus hedged signing.
Cheers,
John Preuß Mattsson
From: Bas Westerbaan <[email protected]>
Date: Tuesday, 9 June 2026 at 13:46
To: [email protected] <[email protected]>
Cc:
<[email protected]>; [email protected] <[email protected]>
Subject: [TLS] Re: Genart last call review of draft-ietf-tls-mldsa-03
Hi Joel,
Thanks for the review.
Minor issues: The security considerations section seems remarkably light. It
may be correct.
Original intention was to keep the security considerations specific to anything
particular about the use of ML-DSA in TLS and refer to existing documents (FIPS
204, RFC 8446) for generally applicable considerations.
The working group has certainly thought a lot more about it then these short
few words might suggest. Among others, the WG discussed several changes:
whether to mention composites (hybrids); whether to discuss hedged vs
deterministic signing; and whether to repeat general guidance. My guess is
that only https://github.com/tlswg/tls-mldsa/pull/36 will have WG support.
Best,
Bas
_______________________________________________
Gen-art mailing list -- [email protected]
To unsubscribe send an email to [email protected]
