[TLS] Re: Complaint to ADs and IESG regarding TLS WG chairs falsely claiming WG consensus to issue an RFC for draft-ietf-tls-mldsa

[Daniel Apon <dapon.crypto@gmail.com>]

" This statement might of course be outdated, but I recently asked one of
the members of the CRYSTALS team whether this is still his view, and the
response was: "Yes, of course." "

I also recently asked *TWO* members of the CRYSTALS team whether they
support hybrids in their view, and their joint response, which they wrote
in tiki torches -- flaming and placed across the facade of a certain
skyscraper located in the Iberian Peninsula, with a massive fireworks show
celebrating the lighting of these torches -- was "No, of course not!"

[[*The above was said facetiously*. In full disclosure, I have not been
explicitly told by the CRYSTALS team that they lit fiery torches in the
Iberian Peninsula with a massive fireworks show in support of any
particular cryptographic viewpoint.]]

-----

*On a more serious note:* This entire thread of discussion is blatantly
lacking in any novel, critical technical material.

In fact, this entire thread of discussion has been kicked off by DJB, in a
fervent (hopefully deeply sincere!) attempt to remedy what he views as a
technical gap in upcoming standards.
But, let's be clear: DJB had years to make *his technical case* in the NIST
PQC process, and he didn't achieve what he hoped.

Indeed, despite claiming early in the process that he would have a massive
technical breakthrough that would break NewHope, Kyber, etc. (and thus,
presumably lead to NTRU Prime being the chosen standard) -- which motivated
the creation of the NIST PQC 3rd Round Seminar Talk Series
https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions/round-3-seminars
in the first place, which now continues to this day as
https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline/pqc-seminars
(and thus, is still open to DJB giving a technical talk with his
long-promised cryptanalytic breakthroughs)

So, DJB has moved to this IETF process: a more *political* and more
*human* process,
involving significantly less technical discussions, and hammered and
hammered against the constraints of the process here itself to lead us to
this point.

After all, the worst thing for those advocating against pure-PQC solutions
is a technical discussion on the cryptographic merits.

On Sat, May 30, 2026 at 3:54 PM Tibor Jager <jager@uni-wuppertal.de> wrote:

>
>
> On 30.05.26 14:11, John Mattsson wrote:
> >
> > - Most experts have a high degree of confidence in hash-based and
> > lattice-based signatures. This includes US NIST, CNSA 2.0, European
> > crypto agencies, as well as cryptographers in academia and industry,
> > such as Sophie Schmieg [2].
>
> This suggests a consensus in academia that, as far as I can tell, does
> not exist.
>
> Regarding “most experts”: the authors themselves (!) of Dilithium/ML-DSA
> recommend hybrid deployment. On their website they write (see
> https://pq-crystals.org/dilithium/index.shtml)
>
> "For users who are interested in using Dilithium, we recommend the
> following: [...] Use Dilithium in a so-called hybrid mode in combination
> with an established "pre-quantum" signature scheme."
>
>
> Similarly, for Kyber/ML-KEM (see
> https://pq-crystals.org/kyber/index.shtml) they write:
>
> "For users who are interested in using Kyber, we recommend the
> following: [...] Use Kyber in a so-called hybrid mode in combination
> with established "pre-quantum" security; for example in combination with
> elliptic-curve Diffie-Hellman.
>
>
> This statement might of course be outdated, but I recently asked one of
> the members of the CRYSTALS team whether this is still his view, and the
> response was: "Yes, of course."
>
>
> In my view, the concern is not with lattice-based cryptography as a
> paradigm, nor with the algorithms. Also, not with backdoors. Rather, it
> is with the underlying hardness assumptions and, in particular, the
> concrete parameter choices. At present, these appear fine. However,
> assuming that this assessment is unlikely to change seems optimistic.
>
>
>  > I am very unconvinced by people who criticize ML-DSA while
>  > not applying the same scrutiny to RSA, ECDSA, and EdDSA. The criticism
>  > of ML-DSA and IETF often applies double standards that don't survive
>  > scrutiny.
>
>
> The above comparison is not entirely apt. 30-40 years ago, there were
> fewer alternatives available, computational resources were much more
> limited, and hybrid deployment was generally not a practical option. By
> the time computational costs had decreased, RSA and
> discrete-logarithm-based systems had already accumulated decades of
> scrutiny and practical experience.
>
> More importantly, in my perspective, advocating hybrids is neither a
> criticism of ML-DSA, nor an application of double standards. But it is a
> matter of risk management. We are considering introducing algorithms
> based on comparatively new hardness assumptions into the most important
> cryptographic protocol on the Internet. There is nothing wrong with
> optimism, but in this context one may also argue that a more cautious
> approach is warranted. Better safe than sorry.
>
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>