Joseph Birr-Pixton wrote: >Just to remark that we have fully realised the latter two risks in >implementations of existing signature algorithms, that had real-world and >practical impact. These were then designated as MTI in TLS1.3, years and years >after that happened. > >So I think if those risks are cited to motivate hybrid signature schemes, at >the same time motivational text should address why an as-yet unrealized risks >of ML-DSA are more pressing than repeatedly realised implementation risks of >ECDSA and RSA.
Fully agree. I am very unconvinced by people who criticize ML-DSA while not applying the same scrutiny to RSA, ECDSA, and EdDSA. The criticism of ML-DSA and IETF often applies double standards that don't survive scrutiny. - We know that RSA, ECDSA, and EdDSA do not provide any security against quantum computers and will need to be completely phased out over the coming years. - The claim that ML-DSA is an NSA backdoor is absurd, especially when made by people who simultaneously praise Ed25519. ML-DSA was primarily designed by European cryptographers and relies on SHA-3, which was itself designed by European cryptographers. In contrast, Ed25519 relies on SHA-2, a hash function designed by the NSA. - The focus on cryptographic algorithms is misplaced. Protocol- and system-level bugs are far more common than breaks of cryptographic primitives. Examples include missing validation of public keys and domain parameters, not checking the authenticity of long-term public keys, and using the same private key in different algorithms. SIGINT has typically targeted weak randomness and key management rather than cryptographic primitives. The Pentagon has now forbidden non-local quantum randomness and symmetric key establishment [1]. The IETF still maintains Security Descriptions Enabling Surveillance (SDES) as a Proposed Standard (RFC 4568) and marks psk_ke and PRKs as Recommended = Y. The IETF should clean up internally before criticizing NIST. - RSA and FFDH are neither theoretically nor practically compelling. There is no reason to believe that the complexity L_N[1/3,(64/9)^1/3] is close to optimal. There have recently been significant advances in cryptanalysis of FFDH systems. I agree with Suite B and 3GPP that RSA and FFDH should have been phased out 20 years ago. It is tragic that RSA remains in widespread use and even appear in new IETF specifications. - ECDSA is malleable and sensitive to implementation errors, such as missing public-key point validation, which has historically been a common and serious source of vulnerabilities. - Most experts have a high degree of confidence in hash-based and lattice-based signatures. This includes US NIST, CNSA 2.0, European crypto agencies, as well as cryptographers in academia and industry, such as Sophie Schmieg [2]. - Dilithium was already a very well-designed scheme, and NIST improved it further by incorporating public feedback from academia and industry, including hedged signing and beyond unforgeability (BUF) properties. It is ironic that some of the same people who criticize the IETF for lack of transparency and for claiming consensus on ML-DSA are involved in ISO standardization, while also criticizing NIST for not adopting some of Bernstein’s proposals, despite those proposals having faced significant opposition and clearly failing to achieve consensus in the public PQC forum. Replacing standalone RSA and ECDSA with standalone ML-DSA would be a major security win, significantly improving both theoretical security properties and reducing the implementation attack surface. - I think the suggestion that hybrid signatures are required is the biggest threat to the urgent PQC migration. Trust anchors in PKI and long-lived devices are as prioritized as key exchange [3]. The only solutions mature enough for medium-term deployment are standalone SLH-DSA, standalone ML-DSA, and, in some cases, non-composite PQ/T hybrids. Cheers, John Preuß Mattsson [1] Preparing for Migration to PQC https://dowcio.war.gov/Portals/0/Documents/Library/PreparingForMigrationPQC.pdf [2] Guide to the security of various PQC algorithms https://keymaterial.net/2025/12/13/a-very-unscientific-guide-to-the-security-of-various-pqc-algorithms/ [3] Migrating telecom to quantum-resistant cryptography on a global scale https://www.ericsson.com/en/reports-and-papers/ericsson-technology-review/articles/migrating-telecom-to-quantum-resistant-cryptography
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
