>
> - The idea that the server can use the client random to protect against
> side-channel attacks is obviously wrong.
>
Which is not claimed. Client randomness is mentioned as we're also
concerned with client authentication.
- The server random and the ML-DSA rnd value are used in different parts of
> the input and could affect side-channel behavior in different ways.
For those reading along, the only place ML-DSA rnd and the input message M
is used, is in the computation of rho'':
rho'' = H(K || rnd || H((tr) || 0 || len(ctx) || ctx || M))
M contains the transcript hash which includes the client/server randomness.
- The server random and the ML-DSA rnd value might be generated by
> completely different random number generators with different quality. It
> is not clear that the ML-DSA rnd can be replaced by server random.
>
This PR should not be merged in its current form. It makes very strong
> statements ("do not apply") with little motivation. I think more analysis
> would be needed even to support weaker statements.
>
The TLS standard requires a good source of randomness. Indeed, its security
analysis has several *very strong statements *(eg. replay protection) which
would need to be revisited if we were to put that requirement into question.
> I do not think the draft should, or needs to, say anything about
> deterministic versus hedged signing.
>
I'd say a good reason not to mention it, is that there is no harm in
leaving it out.
Best,
Bas
> Cheers,
> John Preuß Mattsson
>
> *From: *Bas Westerbaan <[email protected]>
> *Date: *Tuesday, 9 June 2026 at 13:46
> *To: *[email protected] <[email protected]>
> *Cc: *
> <[email protected]>; [email protected] <[email protected]>
> *Subject: *[TLS] Re: Genart last call review of draft-ietf-tls-mldsa-03
>
> Hi Joel,
>
> Thanks for the review.
>
> Minor issues: The security considerations section seems remarkably light.
> It
> may be correct.
>
>
> Original intention was to keep the security considerations specific to
> anything particular about the use of ML-DSA in TLS and refer to existing
> documents (FIPS 204, RFC 8446) for generally applicable considerations.
>
> The working group has certainly thought a lot more about it then these
> short few words might suggest. Among others, the WG discussed several
> changes: whether to mention composites (hybrids); whether to discuss hedged
> vs deterministic signing; and whether to repeat general guidance. My guess
> is that only https://github.com/tlswg/tls-mldsa/pull/36 will have WG
> support.
>
> Best,
>
> Bas
>
_______________________________________________
Gen-art mailing list -- [email protected]
To unsubscribe send an email to [email protected]
