On Thu, May 28, 2026 at 09:54:05AM +0200, Simon Josefsson wrote: > Eric Rescorla <[email protected]> writes: > > > The argument for hybrids in this context is that if if one has > > substantially higher confidence in the security of the traditional > > algorithm than the PQ one against classical attack, than it is safer > > to deploy hybrids. As as been discussed in detail, however, the threat > > model is different here because the attacker has to be able to break > > the vulnerable algorithm at the time of the connection (this is just a > > generalization of Watson's point), so the level of risk depends on (a) > > how rapidly you can disable the PQ algorithm if it's found to be > > vulnerable > > If there is no other widely deployed choice than pure ML-DSA that time > window will be long, and the level of risk high.
I do not think the length of time window has material impact on the risk. If anything, I think that the time window growing would reduce the level of risk. I see three relevant risks: - Completely novel kind of attack against ML-DSA that destroys it. - Implementation flaw in signing that leaks the private key. - Implementation flaw in verification that allows forgery. The first was subject of intense vetting over a decade. And should that happen, we have a major problem regardless. And with regards to PQ algorithms, not all are the same. Even among "serious" problems (basically anything that is not "interesting"), there is great variability in confidence. The second and third can be mitigated by testing with test vectors. Preferably of adversarial kind that trigger, or miss triggering, all sorts of edge cases by narrow margin, or contain both vectors that pass and vectors that fail. The second kind only matters if ML-DSA is actually used. And unfortunately the third kind is not that severe comapred to kinds of vulnerabilities going around nowadays. > That's why we need several alternatives, including hybrid PQ signature > authentication. Alternatives are exactly what we do not want. Because those are harmful to interoperability, and destroying interoperability destroys security. Long-term keys makes signatures very sensitive to this kind of problem. > And if we have at least one hybrid specified, implemented and deployed, > I don't believe using non-hybrid variants is a good choice for a general > Internet-wide recommendation for the next ~10 years. We need to gain > confidence in ML-DSA and other new signature algorithms. I do not think it will be deployed. And with regards to gaining confidence, there is already substantial confidence on ML-DSA. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
