[TLS] Re: ML-DSA in TLS

"D. J. Bernstein" <djb@cr.yp.to> Sat, 16 November 2024 08:57 UTC

Date: Sat, 16 Nov 2024 08:57:03 -0000
Message-ID: <20241116085703.138618.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <CACsn0c=mT-19uB35R0FGxa_eyOeKVq=vY1AzSh78M18Ss_f3Gw@mail.gmail.com>
Message-ID-Hash: FGXYGFHS2NSCGDQ27ATXZRGUF3IEWDE2
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/77uUYhGJYNVQIp9heMY9bkbKbaA>

Watson Ladd writes:
> Authentication is not like encryption.

I presume that you're alluding to the following process: if the PQ
signature system is broken, we revert to ECC signatures, and then the
attacker doesn't benefit from forging the no-longer-accepted signatures
(whereas we can't stop attackers from breaking previous ciphertexts).

This process leaves computers completely exposed until they've reverted
to ECC. Sure, some environments are fast to make changes, but some
aren't. For comparison, using ECC+PQ in the first place avoids this
security failure, and will make many people less hesitant to upgrade.

The revert-in-case-of-disaster process also leaves computers completely
exposed to PQ attacks that haven't come to the public's attention yet.
Out of the 69 round-1 submissions to NIST, 33 have been publicly broken
by now (see https://cr.yp.to/papers.html#pqsrc) with some of the
attacks not published for years; is it so hard to imagine that
large-scale attackers found some attacks before the public did?

More broadly, conflating "no attacks have been published" with "no
attacks are being carried out" is unjustified, an extreme form of
availability bias. Occasionally there are leaks from attackers
illustrating how much damage this mistake has done. Example:

https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

---D. J. Bernstein

[TLS] Re: ML-DSA in TLS John Mattsson
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Deirdre Connolly
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS Kris Kwiatkowski
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Eric Rescorla
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Deirdre Connolly
[TLS] Re: ML-DSA in TLS Tim Hollebeek
[TLS] Re: ML-DSA in TLS Ilari Liusvaara
[TLS] Re: ML-DSA in TLS Stephen Farrell
[TLS] Re: ML-DSA in TLS Ilari Liusvaara
[TLS] Re: ML-DSA in TLS Deirdre Connolly
[TLS] Re: ML-DSA in TLS Tim Hollebeek
[TLS] Re: ML-DSA in TLS Eric Rescorla
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: ML-DSA in TLS Eric Rescorla
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS John Mattsson
[TLS] Re: ML-DSA in TLS Russ Housley
[TLS] Re: ML-DSA in TLS Stephen Farrell
[TLS] Re: ML-DSA in TLS Stephen Farrell
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS Tim Hollebeek
[TLS] Re: [EXT] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: ML-DSA in TLS tirumal reddy
[TLS] Re: ML-DSA in TLS Santosh Chokhani
[TLS] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: ML-DSA in TLS John Mattsson
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Stephen Farrell
[TLS] Re: ML-DSA in TLS Stephen Farrell
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS Deirdre Connolly
[TLS] Re: ML-DSA in TLS Eric Rescorla
[TLS] Re: ML-DSA in TLS aebecke@uwe.nsa.gov
[TLS] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS Salz, Rich
[TLS] Re: ML-DSA in TLS Salz, Rich
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: ML-DSA in TLS aebecke@uwe.nsa.gov
[TLS] Re: ML-DSA in TLS Tim Hollebeek
[TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
[TLS] ML-DSA in TLS Bas Westerbaan
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS aebecke@uwe.nsa.gov
[TLS] Re: ML-DSA in TLS Deirdre Connolly
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS Tim Hollebeek
[TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: ML-DSA in TLS John Mattsson
[TLS] Re: [EXTERNAL] Re: ML-DSA in TLS Andrei Popov
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Ilari Liusvaara
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS Rebecca Guthrie
[TLS] Re: ML-DSA in TLS John Mattsson
[TLS] Re: ML-DSA in TLS Salz, Rich
[TLS] Re: ML-DSA in TLS Bas Westerbaan
[TLS] Re: [EXT] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: [EXT] Re: ML-DSA in TLS Watson Ladd
[TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS Deirdre Connolly
[TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: ML-DSA in TLS John Mattsson
[TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: [EXT] Re: ML-DSA in TLS Ilari Liusvaara
[TLS] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: [EXT] Re: ML-DSA in TLS John Mattsson
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: [EXT] Re: ML-DSA in TLS John Mattsson
[TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
[TLS] Re: ML-DSA in TLS Alicja Kario
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
[TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
[TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
[TLS] Re: [EXT] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: [EXT] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
[TLS] Re: [EXT] Re: ML-DSA in TLS John Mattsson
[TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
[TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein