On Mon, 18 May 2026 at 19:13, Salz, Rich <[email protected]> wrote:
> > - The IETF possibly via CFRG could provide security considerations for > - ML-DSA generally, maybe with the help of the Crypto Review Panel. > > > Do you really believed that people in the CFRG and/or the crypt panel > believe that they have anything to add that didn’t come up during the NIST > work? Have you asked them? > Are you asking if one person really believes that other two groups of people believe that other people believe something? Also, I think asking the CFRG and/or Crypto Panel is essentially what Simon is suggesting, isn't it? Simon's general point that the Security Considerations are insufficient is interesting enough for me to verify. I looked at the I-D, and that references Section 3.4 in FIP204 without comment. FIPS204 Section 3.4 indicates that there are essentially two subsets of the Signing algorithm, one being Deterministic, and the other being Hedged. It suggests that the Deterministic algorithm SHOULD NOT (I'm interpolated RFC 2119 language here) be used where side-channels are a problem, and that it is there to support cases where a source of randomness is unavailable. I would have preferred to see this surfaced and discussed in the I-D, since if I follow correctly TLS1.3 already requires true randomness and therefore I would expect to see that ML-DSA signing MUST always use the Hedged variant. No occurances of "Determ" or "Hedg" exist in the I-D, for clarity. Based on this one case, I would suggest that the Security Considerations is indeed weak, in as much as following the references seems insufficient advice. It may be that such things are obvious to people more versed in cryptography than I am, of course, but since this case was one that Simon points out, it does seem to hold up. Dave.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
