[TLS] Re: [EXT] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

David Stainton <dstainton415@gmail.com> Thu, 23 April 2026 03:12 UTC

Return-Path: <dstainton415@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9F363E159344 for <tls@mail2.ietf.org>; Wed, 22 Apr 2026 20:12:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776913923; bh=5TAj7r006dWeRyPjMiK6TIXA/mE9tKzN1Kw/oigj4ns=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=WUDcA0UPlcBdPXHkInmlbiuRLeviUwyBvSyApllyPdLbyKREa7qBOTA0pWsjPzKe0 jtmSMV4RjYApllkujVYzMqPklBYii3ZO5qwEr994TQpoRvNOZy/AwXTszxdty/Uxrc eiMvijjpHZ6o0/OofQ55wGUJ188xV7rGrY1GuB4E=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Az2UZkLr8Jpe for <tls@mail2.ietf.org>; Wed, 22 Apr 2026 20:12:02 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3B81AE159234 for <tls@ietf.org>; Wed, 22 Apr 2026 20:11:47 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-5a62f43b76aso1403946e87.3 for <tls@ietf.org>; Wed, 22 Apr 2026 20:11:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776913906; cv=none; d=google.com; s=arc-20240605; b=cGlwo5z+lIhYetdtmgm4AAQb3mPgRys0HxqLKB8c2+W8PNBSYnoXlRS5+OwJK8/C+T c8iHtvV3xm41pOozdSe9Q1yqLfqBOsro5Hz40/9ox/oZkVuEuwqOZ2pR/lFQLqMuSR6O 4ExcBZeBC36yLpbG+DILhoGz6XWpsGaxog6VubhsZMe6x2AONxbDmZGkbyH7vbEb9+9z cUqJLlVy26bPFkdsT4dBPFM2QiMaKol/h3zZr6ikBwymX8WhG/iwK9gmfBa6ltrx32WA JBNSWOlEDNHjL759xo40jWVi9weZ9bMWRVniKULRIXtbexJKIY3SOwc+GRP5N1D87+XR ZXDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5TAj7r006dWeRyPjMiK6TIXA/mE9tKzN1Kw/oigj4ns=; fh=LqTlhu46F99mB/m+JSI83B1JzpLn9xXquEKrPsh0jpA=; b=Lv77MGQTh9JfkgOZn4JxhluuebD8hLSUxNEXQWD/2kghCueDw2Vcs21ycZ4KIPIEyp cliuShxd4u+D62nYDDijrr9IFa0DjqUIQx4s0gbEl+PbKbzXVq8Jjc1XwhUOfZlR+780 NbM8qt1+IukLnLora2IeCWF9QMUJBsMdMbYVei1397DHtF5MzDXIPMXKch5ug1PW7Xzk ugw1s3uqwkVshxDILzBfma0ahUFxOjvHN9/lRXUgGBbvttTEsuf97cQk6vu3qdAM2J1N vJBqoGCXsY0f9HK8c++jjY6JHwqXGOvUA/Y0VebbmSKVL3ANVGs2O8MZ0Lxp0lqP8u8I idjw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776913906; x=1777518706; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=5TAj7r006dWeRyPjMiK6TIXA/mE9tKzN1Kw/oigj4ns=; b=EFQtvtGcfMsMVz8rz6FSk/M79sZwtFAEEQj9vg2rDsrLqH2sRyscIJAPnC1AOG3pRa 1k+3foeJN9nbw961zXXV5X2aSavYyUBqBKUCUazeVpWdYx4469PfVSEtbwiKbM3Y61OC bN7BzP+lJUMFb5NhDX4l0JzvQuL7MPy/7Sj6thkQXE5/kV6emAcfztVYsFOKLQLW2iXg t51nRlDZQrFf4RRFNSw9ett5epHqcpr0ufv7sEnNOSOWhN24NF2/ibXeDM0wSeX+tywy lPtkGJOVLozvJhfD5hkh7GdddDy2DNfNGRpVBiiHlr81AMVfnT6nrnViQbxDapcZX/do 4W1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776913906; x=1777518706; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=5TAj7r006dWeRyPjMiK6TIXA/mE9tKzN1Kw/oigj4ns=; b=d/+0/5fUsgf3Scuzl9T9DB5axCLaI2fCe1Tl1AjsySda2+g2T/eLRVkkqGIuf57bNB tqNpU45xqmPJ3Mj72xfzPWnYLq5zGY00GlTLF2kLGcQ3o8b74UYJwSb1JxkzwsAlVAuy WZTeMNLhB25WKvLnAWmWpVGD/+UWubOOt9IAGJWbUl/4crnhB6xcyp2rXxCvL//Y4wLP d6TBQ83g62YaoVyYVNZT4CP7KrNakayOGRXtkv8oHy0Kx/M7ozGJEd4sX0msklRdvWSo TqS/0eKUu3s2x3xSPtgTnKYtLL7wazd1RXxujbP3vfBFugySbyxC5aCP+4n+XQLLgGhl L9qw==
X-Forwarded-Encrypted: i=1; AFNElJ9mbzE3HWXeo3JZdGEHbY2yjJsAowdydxSM79RQ69fWbASxod5xky9sjtfWiZKIu32AyKw=@ietf.org
X-Gm-Message-State: AOJu0YyZ5ybA3QjXUIu7F4lygJkbNVJdwLbplUoiG7/BeONjqPd50imY 0+NrLx3PaAQXLaphQgV8s0RfngGMfeH5xiAcnNrLuVqJKhF9uNFbDuK4+OGW9gVAOkiBVljLeVq zG/MXHjyabr/OFxm43uGlVH/ay8yYA4WPNeDeKNMF23WXxlM=
X-Gm-Gg: AeBDievtogb0RTBI66JCHu6XV49bcLk0al7C73qWd3UbD/eckaBKil+GebGCDDsqA20 GfG/CKYwc6qsU4sKOpzJD3ovHu6gMMu6Ob4Q57OVUkkShTKuHvvKSkJ4/qMhPze2tdF6oF0Kk3m oGvxGJLBd69xPR/AbNAkupMQx+eJCZR+gzwDDdLqYo7yRIyQ7IZZTpGcq3NTwQFSNVJEqmEkyc4 DRW7mGBy1bE2GlEG3/BK+MTe780KmXDdguM8HnV6TJawrT6n6JcrdeMZRR2HoqezhT4P6rome1D N1Ydswa/e1UQcAk4aFHbqHil6X0vrXQXQfR/Y++N83/CHMOF3l6kEfOgXZVX+W92ZejeHrHTRiY ljc8DLR15Zsrb
X-Received: by 2002:a05:6512:6cb:b0:5a3:ffc0:882d with SMTP id 2adb3069b0e04-5a4172eabc4mr8612887e87.41.1776913905563; Wed, 22 Apr 2026 20:11:45 -0700 (PDT)
MIME-Version: 1.0
References: <CANm5x_OdZ5U0G+ctATQxPWRGMZxEVrC_1oi4vdeT4mAEZwXHrQ@mail.gmail.com> <B1335D87-5055-4F4C-9F02-9C4A0D3BE890@ll.mit.edu> <584929a9-17b5-40f4-a98d-a58c32c90774@appelbaum.net> <CAPxHsS+hbRr5ouO9p=_KowV19Q3uyEh2AtDe=C5kUd+bm4j9RA@mail.gmail.com>
In-Reply-To: <CAPxHsS+hbRr5ouO9p=_KowV19Q3uyEh2AtDe=C5kUd+bm4j9RA@mail.gmail.com>
From: David Stainton <dstainton415@gmail.com>
Date: Thu, 23 Apr 2026 05:11:33 +0200
X-Gm-Features: AQROBzDUj7sFCHfsSE0rgl4FcDNSAfojLGZRQ6rhwM12yf2QO8RbvXV5dDK2688
Message-ID: <CAFN1edpbGq_A-M6-0nBkp-Ng_X_en1_4mVnLs4f6fmJY-z3f6w@mail.gmail.com>
To: Daniel Apon <dapon.crypto@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: LFEWOITOUR73E6VDKR2AGAVQG4DMBQXO
X-Message-ID-Hash: LFEWOITOUR73E6VDKR2AGAVQG4DMBQXO
X-MailFrom: dstainton415@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Nicola Tuveri <nic.tuv@gmail.com>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FGecF0Ml3iHC_Jnp_der5aFvQXM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I am astonished at the level of disinterest with respect to the
horrible situation we'll be in if there are successful forgery
attacks.
And I am disappointed that so many of you argue for pure ML-DSA.
Successful forgery attacks will be very difficult to recover from.
I strongly oppose the pure ML-DSA and my suggestion is that only
hybrid schemes should be standardized for TLS.

And I think what is standardized for TLS might have inspirational
effects on other projects but mind you certainly not my projects.

My work is now solely focused on building a post quantum mix network.
We don't use TLS at all however, I think the comparison between the
two is illustrative.
If the Katzenpost mixnet were to use a PQ only signature scheme which
at some point becomes broken there are so many complex attacks that
could be done.
The entire set of privacy and security notions of the mixnet collapses
entirely. Attackers would be able to hijack the dirauth voting system
and install any new mix nodes they wish. Attackers will thus be able
to eventually control entire routes through the mixnet, rendering all
security guarantees meaningless but perhaps more importantly removing
all anonymity guarantees as well, exposing who is talking to whom.

At the end of the day I feel like these arguments against hybrids are
conducted in bad faith either because of NSA influence or due to some
kind of personal desire to become a power wielding bureaucrat in the
world of cryptographic and IETF standards. There's a certain type of
cryptographer that just loves to say no to good design ideas and they
are present here in multitudes. Good job guys. We've missed the train.
According to Phil Rogaway's "the moral character of cryptographic
work" we're supposed to be trying to help people, trying to help
prevent human rights violations and working on things that are
socially relevant.

On Thu, Apr 23, 2026 at 4:38 AM Daniel Apon <dapon.crypto@gmail.com> wrote:
>
> Hi Jacob,
>
> You wrote:
> " A non-exhaustive list of ways that one might avoid pure PQ:
> - if the PQ crypto fails as SIKE failed
> - if some or all of Peter Gutmann's criticisms about CRQCs are correct
> - if the PQ crypto fails in a novel way that CRQCs enable
> - if the it is impractical to break both ECC and the PQ during the
> window in which it matters
> - if the PQ crypto deployment gives adversaries an opportunity to
> sabotage previously functional cryptography and thus break security
> - recommendations and/or regulations that impose a hybrid requirement"
>
>
> Please allow me to address each (trying to delineate where reasonable points of disagreement exist versus points that don't, to me, seem reasonable):
>
>
> " - if the PQ crypto fails as SIKE failed"
>
> This is a common public misunderstanding of the NIST PQC process.
> One should not view SIKE as being broken as a knock against greater-than-decade-long PQC standardization processes, but rather a wildly successful outcome of such processes and a testament to the mathematical rigor applied to PQC standardization that SIKE *was not standardized* while waiting for an attack to be published. Full stop.
>
>
> " - if some or all of Peter Gutmann's criticisms about CRQCs are correct"
>
> Without diving down into rabbit holes about dogs and waffles or whatever other satire, was there a serious technical point worth highlighting?
> Historically, one of the best "cartoon form" arguments in Garey and Johnson's book "Computers and Intractability: A Guide to the Theory of NP-Completeness" was on page 3, captioned:
> "I can't find an efficient algorithm, but neither can all these famous people."
>
> To wit: in this situation, we have many famous people working on building CRQCs. Some have recently won the Nobel Prize in Physics for their work towards large-scale quantum computing engineering.
> To be clear, the majority corpus of expert opinion is clearly in favor of a near-to-medium-term CRQC emerging.
>
>
> " - if the PQ crypto fails in a novel way that CRQCs enable"
>
> There seems to be no such potential pathways that are believable/known, despite various attempts in the past years by Yilei Chen and Yifan Zhang.
>
>
> " - if the it is impractical to break both ECC and the PQ during the
> window in which it matters"
>
> This is somewhat of a more valid point, and it comes down to a question of the intelligence lifespan of data.
> In some scenarios, maybe an hour or a day is the relevant information content of data.
> In others, years or decades are not enough to erase the sensitivity of communications.
>
> Certainly, hybrid ECC+PQC (in whatever form it occurs) may be more reasonable for relatively less sensitive data, but for more sensitive data, the "window in which it matters" is inherently long.
>
>
> " - if the PQ crypto deployment gives adversaries an opportunity to sabotage previously functional cryptography and thus break security"
>
> I suppose that's why the world participated in a decade-long common evaluation process to vet the new cryptography, which was not only standardized without serious technical objection to the security of the PQ cryptographies, but was standardized with alternative technical opinions left objectively wanting in public. It took many years for the global conversation to reach that final point.
>
>
> " - recommendations and/or regulations that impose a hybrid requirement"
>
> This is a great reason to want an option for hybrid PQC+ECC, but it's not a reason to forbid pure PQC.
> Businesses (such as mine) that participate as vendors in multiple markets will spend the appropriate effort to satisfy local regulations in each jurisdiction, of course.
>
> Kind regards,
> --Daniel
>
> On Wed, Apr 22, 2026 at 5:49 PM Jacob Appelbaum <jacob@appelbaum.net> wrote:
>>
>> Hello Uri,
>>
>> On 4/22/26 21:52, Blumenthal, Uri - 0553 - MITLL wrote:
>> > There can be arguments about the life expectancy of hybrids - from
>> > zero to CRQC appearance - but can be no objection to the point that
>> > once CRQC is here, only pure PQ will make sense.
>> >
>>
>> With respect, I suspect that there there will be measurements rather
>> than mere speculative arguments.
>>
>> The life expectancy will depend greatly on such a machine existing, who
>> has such a machine, who is willing to reveal that they have such a
>> machine, how efficient and/or useful it is for practical attacks, and
>> most importantly if the PQ cryptography actually survives contact with
>> that reality. The latter point seems particularly challenging as a
>> discussion point.
>>
>> Something that I haven't seen raised in this discussion is a possible
>> middle ground where we see something like the proposed
>> TWINKLE[0]/TWIRL[1] machines where breaking a single key may be feasible
>> but cost prohibitive at scale. Those proposed systems did not force RSA
>> into retirement. Meanwhile, LOGJAM[2] resulted in RFC8270 rather than
>> RSA's end.
>>
>> There are several kinds of PQ failures that we have seen, additional
>> failures that we expect to see, and a few that many of us hope won't
>> happen at all. SIKE remains a humbling example that is seemingly avoided
>> in many of these discussions.
>>
>> > Thus, arguing against pure PQ makes no sense in my opinion: you may
>> > be able to delay long enough to avoid hybrids, but there’s no way
>> > you’d avoid pure PQ. — Regards, Uri
>>
>> As of today, there isn't a quantum computer that is public and breaking
>> ECC. We are fairly confident that ECC is secure today modulo various
>> kinds of NOBUS and other kinds of cryptographic sabotage. We are also
>> fairly confident that ECC will fall eventually if there is a quantum
>> computer. Most people are confident that there will be a relevant
>> quantum computer and that we should prepare. It seems odd to prepare by
>> increasing the risk of attacks by computers that already exist today.
>>
>> A non-exhaustive list of ways that one might avoid pure PQ:
>> - if the PQ crypto fails as SIKE failed
>> - if some or all of Peter Gutmann's criticisms about CRQCs are correct
>> - if the PQ crypto fails in a novel way that CRQCs enable
>> - if the it is impractical to break both ECC and the PQ during the
>> window in which it matters
>> - if the PQ crypto deployment gives adversaries an opportunity to
>> sabotage previously functional cryptography and thus break security
>> - recommendations and/or regulations that impose a hybrid requirement
>>
>> Hybrid compositions make sense for encryption and for signatures.
>> Attacks with a quantum computer to break the cryptographic encryption or
>> signature system(s) may be roughly the same but I am not convinced that
>> the consequences are equal. It is remarkable that signature forgery
>> isn't considered more of a concern than HNDL.
>>
>> Arguing for a belt rather than suspenders and a belt is often a
>> reasonable fashion choice but is it an equally secure and resilient system?
>>
>> Kind regards,
>> Jacob Appelbaum
>>
>> [0] https://en.wikipedia.org/wiki/TWINKLE
>> [1] https://en.wikipedia.org/wiki/TWIRL
>> [2] https://en.wikipedia.org/wiki/Logjam_(computer_security)
>>
>> >> On Apr 22, 2026, at 13:25, Nicola Tuveri <nic.tuv@gmail.com>
>> >> wrote:
>> >>
>> >>  Hi Rich, thanks for your clarification, indeed my phrasing was
>> >> not ideal. I’ll take your comment as a chance to clarify my
>> >> stance. Code point assignment and deployment support are distinct
>> >> considerations. In practice, non-experimental production
>> >> ZjQcmQRYFpfptBannerStart This Message Is From an External Sender
>> >> This message came from outside the Laboratory.
>> >> ZjQcmQRYFpfptBannerEnd
>> >>
>> >> Hi Rich,
>> >>
>> >> thanks for your clarification, indeed my phrasing was not ideal.
>> >> I’ll take your comment as a chance to clarify my stance.
>> >>
>> >>
>> >> Code point assignment and deployment support are distinct
>> >> considerations. In practice, non-experimental production
>> >> deployments generally rely on both assigned code points and a
>> >> published standard.
>> >>
>> >>
>> >> Concerns about the proliferation of standards introducing support
>> >> for additional code points are not uncommon on this list. I note a
>> >> similar concern here in support of delaying this draft.
>> >>
>> >>
>> >> At present, the process risks creating the impression of a “first-
>> >> to-standard” outcome, where publication effectively determines the
>> >> direction of deployment before the trade-offs have been fully
>> >> examined, possibly even stalling the progress of other drafts. In
>> >> particular, the argument that introducing additional options
>> >> increases complexity has been raised repeatedly on this list, but
>> >> it does not seem sufficient on its own to guide decisions in a
>> >> security area WG. It would be preferable to more explicitly
>> >> evaluate the security properties of hybrid and non-hybrid
>> >> approaches and reach a position that can inform what should-and
>> >> should not-be advanced to standard.
>> >>
>> >>
>> >> Best regards,
>> >>
>> >> Nicola Tuveri
>> >>
>> >>
>> >>
>> >> On Wed, Apr 22, 2026 at 19.30 Salz, Rich <rsalz@akamai.com
>> >> <mailto:rsalz@akamai.com>> wrote:
>> >>
>> >> * I have read the draft, but I do not support its publication at
>> >> the moment.
>> >>
>> >>
>> >> * My rationale is that this draft adds complexity by adding extra
>> >> code points for pure mldsa.
>> >>
>> >>
>> >> Code points are assigned when a stable reference is available, as
>> >> you might recall from the long threads on the pure ML-KEM draft.
>> >> So I don’t think your stated rationale makes sense.
>> >>
>> >> _______________________________________________ TLS mailing list
>> >> -- tls@ietf.org To unsubscribe send an email to tls-leave@ietf.org
>> >
>> >
>> > _______________________________________________ TLS mailing list --
>> > tls@ietf.org To unsubscribe send an email to tls-leave@ietf.org
>>
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org