On 30.05.26 14:11, John Mattsson wrote:
- Most experts have a high degree of confidence in hash-based and lattice-based signatures. This includes US NIST, CNSA 2.0, European crypto agencies, as well as cryptographers in academia and industry, such as Sophie Schmieg [2].
This suggests a consensus in academia that, as far as I can tell, does not exist.
Regarding “most experts”: the authors themselves (!) of Dilithium/ML-DSA recommend hybrid deployment. On their website they write (see https://pq-crystals.org/dilithium/index.shtml):
"For users who are interested in using Dilithium, we recommend the following: [...] Use Dilithium in a so-called hybrid mode in combination with an established "pre-quantum" signature scheme."
Similarly, for Kyber/ML-KEM (see https://pq-crystals.org/kyber/index.shtml), they write:
"For users who are interested in using Kyber, we recommend the following: [...] Use Kyber in a so-called hybrid mode in combination with established "pre-quantum" security; for example in combination with elliptic-curve Diffie-Hellman.
This statement might of course be outdated, but I recently asked one of the members of the CRYSTALS team whether this is still his view, and the response was: "Yes, of course."
In my view, the concern is not with lattice-based cryptography as a paradigm, nor with the algorithms. Also, not with backdoors. Rather, it is with the underlying hardness assumptions and, in particular, the concrete parameter choices. At present, these appear fine. However, assuming that this assessment is unlikely to change seems optimistic.
> I am very unconvinced by people who criticize ML-DSA while > not applying the same scrutiny to RSA, ECDSA, and EdDSA. The criticism > of ML-DSA and IETF often applies double standards that don't survive > scrutiny.The above comparison is not entirely apt. 30-40 years ago, there were fewer alternatives available, computational resources were much more limited, and hybrid deployment was generally not a practical option. By the time computational costs had decreased, RSA and discrete-logarithm-based systems had already accumulated decades of scrutiny and practical experience.
More importantly, in my perspective, advocating hybrids is neither a criticism of ML-DSA, nor an application of double standards. But it is a matter of risk management. We are considering introducing algorithms based on comparatively new hardness assumptions into the most important cryptographic protocol on the Internet. There is nothing wrong with optimism, but in this context one may also argue that a more cautious approach is warranted. Better safe than sorry.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
