P.S. in full disclosure, I maintain my position of Recommended=Y for hybrid solutions, as well as supporting pure-PQC solutions being obviously standardized as well.
On Mon, Jun 1, 2026 at 3:40 PM Daniel Apon <[email protected]> wrote: > " This statement might of course be outdated, but I recently asked one of > the members of the CRYSTALS team whether this is still his view, and the > response was: "Yes, of course." " > > I also recently asked *TWO* members of the CRYSTALS team whether they > support hybrids in their view, and their joint response, which they wrote > in tiki torches -- flaming and placed across the facade of a certain > skyscraper located in the Iberian Peninsula, with a massive fireworks show > celebrating the lighting of these torches -- was "No, of course not!" > > [[*The above was said facetiously*. In full disclosure, I have not been > explicitly told by the CRYSTALS team that they lit fiery torches in the > Iberian Peninsula with a massive fireworks show in support of any > particular cryptographic viewpoint.]] > > ----- > > *On a more serious note:* This entire thread of discussion is blatantly > lacking in any novel, critical technical material. > > In fact, this entire thread of discussion has been kicked off by DJB, in a > fervent (hopefully deeply sincere!) attempt to remedy what he views as a > technical gap in upcoming standards. > But, let's be clear: DJB had years to make *his technical case* in the > NIST PQC process, and he didn't achieve what he hoped. > > Indeed, despite claiming early in the process that he would have a massive > technical breakthrough that would break NewHope, Kyber, etc. (and thus, > presumably lead to NTRU Prime being the chosen standard) -- which motivated > the creation of the NIST PQC 3rd Round Seminar Talk Series > https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions/round-3-seminars > in the first place, which now continues to this day as > https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline/pqc-seminars > (and thus, is still open to DJB giving a technical talk with his > long-promised cryptanalytic breakthroughs) > > So, DJB has moved to this IETF process: a more *political* and more > *human* process, involving significantly less technical discussions, and > hammered and hammered against the constraints of the process here itself to > lead us to this point. > > After all, the worst thing for those advocating against pure-PQC solutions > is a technical discussion on the cryptographic merits. > > On Sat, May 30, 2026 at 3:54 PM Tibor Jager <[email protected]> > wrote: > >> >> >> On 30.05.26 14:11, John Mattsson wrote: >> > >> > - Most experts have a high degree of confidence in hash-based and >> > lattice-based signatures. This includes US NIST, CNSA 2.0, European >> > crypto agencies, as well as cryptographers in academia and industry, >> > such as Sophie Schmieg [2]. >> >> This suggests a consensus in academia that, as far as I can tell, does >> not exist. >> >> Regarding “most experts”: the authors themselves (!) of Dilithium/ML-DSA >> recommend hybrid deployment. On their website they write (see >> https://pq-crystals.org/dilithium/index.shtml): >> >> "For users who are interested in using Dilithium, we recommend the >> following: [...] Use Dilithium in a so-called hybrid mode in combination >> with an established "pre-quantum" signature scheme." >> >> >> Similarly, for Kyber/ML-KEM (see >> https://pq-crystals.org/kyber/index.shtml), they write: >> >> "For users who are interested in using Kyber, we recommend the >> following: [...] Use Kyber in a so-called hybrid mode in combination >> with established "pre-quantum" security; for example in combination with >> elliptic-curve Diffie-Hellman. >> >> >> This statement might of course be outdated, but I recently asked one of >> the members of the CRYSTALS team whether this is still his view, and the >> response was: "Yes, of course." >> >> >> In my view, the concern is not with lattice-based cryptography as a >> paradigm, nor with the algorithms. Also, not with backdoors. Rather, it >> is with the underlying hardness assumptions and, in particular, the >> concrete parameter choices. At present, these appear fine. However, >> assuming that this assessment is unlikely to change seems optimistic. >> >> >> > I am very unconvinced by people who criticize ML-DSA while >> > not applying the same scrutiny to RSA, ECDSA, and EdDSA. The criticism >> > of ML-DSA and IETF often applies double standards that don't survive >> > scrutiny. >> >> >> The above comparison is not entirely apt. 30-40 years ago, there were >> fewer alternatives available, computational resources were much more >> limited, and hybrid deployment was generally not a practical option. By >> the time computational costs had decreased, RSA and >> discrete-logarithm-based systems had already accumulated decades of >> scrutiny and practical experience. >> >> More importantly, in my perspective, advocating hybrids is neither a >> criticism of ML-DSA, nor an application of double standards. But it is a >> matter of risk management. We are considering introducing algorithms >> based on comparatively new hardness assumptions into the most important >> cryptographic protocol on the Internet. There is nothing wrong with >> optimism, but in this context one may also argue that a more cautious >> approach is warranted. Better safe than sorry. >> >> >> >> _______________________________________________ >> TLS mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
