I disagree - DSA is not an example of this. DSA doesn't have a "failure probability", instead, it uses "rejection sampling" to generate the signature (just like ML-DSA does) - it's just that, in the DSA case and unlike the ML-DSA case, the probability of a sample being rejected is extremely tiny. The DSA signature being generated will always be valid.
________________________________ From: Russ Housley <[email protected]> Sent: Monday, September 22, 2025 4:44 PM To: Eric Rescorla <[email protected]> Cc: IETF TLS <[email protected]> Subject: [TLS] Re: ML-KEM failures Eric: I agree. DSA also had a super small possibility of a signature failing. If it ever happened, one would generate a new k value and try again. I understand it never happened, and peple stopped talking about the failure case... Russ On Mon, Sep 22, 2025 at 9:04 PM Eric Rescorla <[email protected]<mailto:[email protected]>> wrote: Hi folks, I see that the hybrid doc continues to have this text: Failures. Some post-quantum key exchange algorithms, including ML-KEM [NIST-FIPS-203<https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-16.html#NIST-FIPS-203>], have non-zero probability of failure, meaning two honest parties may derive different shared secrets. This would cause a handshake failure. ML-KEM has a cryptographically small failure rate; if other algorithms are used, implementers should be aware of the potential of handshake failure. Clients MAY retry if a failure is encountered. There was extensive discussion about this for the pure ML-KEM draft, and my sense was the sentiment was that this should not be discussed, at least for ML-KEM. I think we should remove this whole section. -Ekr _______________________________________________ TLS mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
