2026-06-03 14:50 GMT+02:00 D. J. Bernstein <[email protected]>:
> Filippo Valsorda writes:
> > all easy to find
>
> Sorry, I still don't understand what you meant in claiming that there
> will be "exceedingly few bugs" in ML-DSA software. How many bugs and how
> many severe vulnerabilities are you estimating? Where are you getting
> these numbers from?
>
> Since your posting said that "a single broken key per month can be
> catastrophic" and that a disaster chance above 1% is unacceptable since
> "you are betting with your users' lives", I _think_ you're claiming that
> there's a >99% chance that there are zero severe vulnerabilities in the
> entire ML-DSA software ecosystem. But I'd appreciate a clear statement
> so that I'm sure I'm not misunderstanding something.
You are characteristically cherry-picking quotes from other venues, drawing
false comparisons, and then demanding explanations. In a better-moderated
forum, this behavior would be sanctioned as disruptive.
In particular, you are taking my statement that there is now a > 1% chance of
Ed25519/ECDSA/RSA being broken by a QC before 2030, and demanding I defend a
different statement about ML-DSA I did not make. If you're confused about that,
it's not my responsibility. I do stand by my assessment that the risk of ML-DSA
forgeries (due to bugs or cryptanalysis) is smaller than that of
Ed25519/ECDSA/RSA forgeries (due to bugs or quantum computers) or composites
forgeries (due to bugs or due to their rollout being slower than quantum
computers).
You are also not engaging with the parts of the conversation that don't suit
your narrative, so this is not helping anyone, and this will be my last reply.
I do have one final question: are you going to publish a retraction of your
statements on the applicability and availability of Project Wycheproof test
vectors, now that they were shown to be factually inaccurate?
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
