On Thu, 28 May 2026 at 13:23, Ilari Liusvaara <[email protected]> wrote:
> I see three relevant risks: > > - Completely novel kind of attack against ML-DSA that destroys it. > - Implementation flaw in signing that leaks the private key. > - Implementation flaw in verification that allows forgery. > > The first was subject of intense vetting over a decade. And should that > happen, we have a major problem regardless. > Just to remark that we have fully realised the latter two risks in implementations of existing signature algorithms, that had real-world and practical impact. These were then designated as MTI in TLS1.3, years and years after that happened. So I think if those risks are cited to motivate hybrid signature schemes, at the same time motivational text should address why an as-yet unrealised risks of ML-DSA are more pressing than repeatedly realised implementation risks of ECDSA and RSA. Thanks, Joe
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
