" This statement might of course be outdated, but I recently asked one of the members of the CRYSTALS team whether this is still his view, and the response was: "Yes, of course." "
I also recently asked *TWO* members of the CRYSTALS team whether they support hybrids in their view, and their joint response, which they wrote in tiki torches -- flaming and placed across the facade of a certain skyscraper located in the Iberian Peninsula, with a massive fireworks show celebrating the lighting of these torches -- was "No, of course not!" [[*The above was said facetiously*. In full disclosure, I have not been explicitly told by the CRYSTALS team that they lit fiery torches in the Iberian Peninsula with a massive fireworks show in support of any particular cryptographic viewpoint.]] ----- *On a more serious note:* This entire thread of discussion is blatantly lacking in any novel, critical technical material. In fact, this entire thread of discussion has been kicked off by DJB, in a fervent (hopefully deeply sincere!) attempt to remedy what he views as a technical gap in upcoming standards. But, let's be clear: DJB had years to make *his technical case* in the NIST PQC process, and he didn't achieve what he hoped. Indeed, despite claiming early in the process that he would have a massive technical breakthrough that would break NewHope, Kyber, etc. (and thus, presumably lead to NTRU Prime being the chosen standard) -- which motivated the creation of the NIST PQC 3rd Round Seminar Talk Series https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions/round-3-seminars in the first place, which now continues to this day as https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline/pqc-seminars (and thus, is still open to DJB giving a technical talk with his long-promised cryptanalytic breakthroughs) So, DJB has moved to this IETF process: a more *political* and more *human* process, involving significantly less technical discussions, and hammered and hammered against the constraints of the process here itself to lead us to this point. After all, the worst thing for those advocating against pure-PQC solutions is a technical discussion on the cryptographic merits. On Sat, May 30, 2026 at 3:54 PM Tibor Jager <[email protected]> wrote: > > > On 30.05.26 14:11, John Mattsson wrote: > > > > - Most experts have a high degree of confidence in hash-based and > > lattice-based signatures. This includes US NIST, CNSA 2.0, European > > crypto agencies, as well as cryptographers in academia and industry, > > such as Sophie Schmieg [2]. > > This suggests a consensus in academia that, as far as I can tell, does > not exist. > > Regarding “most experts”: the authors themselves (!) of Dilithium/ML-DSA > recommend hybrid deployment. On their website they write (see > https://pq-crystals.org/dilithium/index.shtml): > > "For users who are interested in using Dilithium, we recommend the > following: [...] Use Dilithium in a so-called hybrid mode in combination > with an established "pre-quantum" signature scheme." > > > Similarly, for Kyber/ML-KEM (see > https://pq-crystals.org/kyber/index.shtml), they write: > > "For users who are interested in using Kyber, we recommend the > following: [...] Use Kyber in a so-called hybrid mode in combination > with established "pre-quantum" security; for example in combination with > elliptic-curve Diffie-Hellman. > > > This statement might of course be outdated, but I recently asked one of > the members of the CRYSTALS team whether this is still his view, and the > response was: "Yes, of course." > > > In my view, the concern is not with lattice-based cryptography as a > paradigm, nor with the algorithms. Also, not with backdoors. Rather, it > is with the underlying hardness assumptions and, in particular, the > concrete parameter choices. At present, these appear fine. However, > assuming that this assessment is unlikely to change seems optimistic. > > > > I am very unconvinced by people who criticize ML-DSA while > > not applying the same scrutiny to RSA, ECDSA, and EdDSA. The criticism > > of ML-DSA and IETF often applies double standards that don't survive > > scrutiny. > > > The above comparison is not entirely apt. 30-40 years ago, there were > fewer alternatives available, computational resources were much more > limited, and hybrid deployment was generally not a practical option. By > the time computational costs had decreased, RSA and > discrete-logarithm-based systems had already accumulated decades of > scrutiny and practical experience. > > More importantly, in my perspective, advocating hybrids is neither a > criticism of ML-DSA, nor an application of double standards. But it is a > matter of risk management. We are considering introducing algorithms > based on comparatively new hardness assumptions into the most important > cryptographic protocol on the Internet. There is nothing wrong with > optimism, but in this context one may also argue that a more cautious > approach is warranted. Better safe than sorry. > > > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
