[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

John Mattsson <john.mattsson@ericsson.com> Tue, 05 May 2026 08:52 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 10C50E92F9CB for <tls@mail2.ietf.org>; Tue, 5 May 2026 01:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777971152; bh=IO6FTkKYk/l4+U71y0u/77PNgKizCDZJWNOwB8JZrBs=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=moVyHcVWb8fonoT/5duQU6I+ykmqZeP5XmoJWl033UgOde3L2GG29CUX1mDNJOzlI kTWEI7OZW1c53MFHCYRr2fFWErm1XcoRVDhcHOAWW5ScsQeIUgO1MMiCvCjqVSyRlK 3cR9f4a1v1cbg4tPkh7I5NozS6nMvll7bIItG/PU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fv2JH3iMx6bd for <tls@mail2.ietf.org>; Tue, 5 May 2026 01:52:27 -0700 (PDT)
Received: from DUZPR83CU001.outbound.protection.outlook.com (mail-northeuropeazon11012026.outbound.protection.outlook.com [52.101.66.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 58A95E92F9BB for <tls@ietf.org>; Tue, 5 May 2026 01:52:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Qwing2PNfNhc+FLWucGt7CcHalDFgqQZCrAb/peBFcLJ0lAm8gjZvra7AjAlNyeikIs9imWy1vONs3sn7AFi0PT07VinzxCsJSmWklDF3eIeBxX2UuTZLvtoHjUdr+6IMi+aPRCgoIBDLTad0SkFXY1cJuyzLCCHVRjUyOc44D6pkZEkAOIDpOAKi6J+9eGVLlbsvN2fUjQ7UuxkWujhNKDEdpNWVQsDiNkQAnRGJsGDGrKyRfhqb3I3Ypi4GuQRjr5x31RYSefv5kdTGQS17zPYLHWSzuPFuzue6QHwywCl48mt9k4AZ44MTNN2LcCP+HsSG3ErJittVf5Q7P9VwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IO6FTkKYk/l4+U71y0u/77PNgKizCDZJWNOwB8JZrBs=; b=gUFmlGwW0zkHPqSf4O6ej5MiJcHK8/Y+jMO4bgb9EFsmvUhpnzLEgYaUSkbI3p0Kn1y+koQl/EYun5+VUnD1Iy64QUZ6fzSo+lKMaKYLaDsm529mRmQv3VRyBE0JYb6yAjwVCxFasWM/0NGHj3q912GH0lJ4PMVcwnp1lURv9DvfH31D+29jy1AhezaS/ALPVk7c8EgOrcAYc9emdY8uawc39/a023Hk7BywZ/NZAoAdUd9NN5Xj/GiAbvqNvTRLJaj7NK5lfW8L8n3RL6KJ8F4ynbzk3Dsr222Fp0NuQrCB26cW6isfuXASluHoN/ARRqbcZ3x8ZZ8wnGxCVTVDKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IO6FTkKYk/l4+U71y0u/77PNgKizCDZJWNOwB8JZrBs=; b=e4/eJMzkSXQ8HnNysvq/8DNw8NjBc2mmUeROV065TjI9cXJvu/VFLneMyTGQmc+ERzbubzsht+kDrKBamcIPokxGPC+XzEa2D1SGA+0Fvkrjb9k227S9E86SCAUP29PzFOBgpTYZxBOkxgWuZWFHzbPvafr0Bn9lkoZ3DYMNliyrwML++8SkmuymliWKTpFsh65yqUyYDxH1yByOcvgWiv3MlMCD/6TvU/4rNguCCzwctjnFj7lZxbdKjGvl9BAYFFwwwW3Ry3Wmz4awhCne3lWOi1aF83blUniqF/Qlhw3urXu0OEJZDfmLpzh+RlRcXlVhYCg+LPUpMffoppeBWg==
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com (2603:10a6:20b:4f3::15) by VI1PR07MB6592.eurprd07.prod.outlook.com (2603:10a6:800:189::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.25; Tue, 5 May 2026 08:52:15 +0000
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174]) by AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174%6]) with mapi id 15.20.9870.023; Tue, 5 May 2026 08:52:15 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Wang Guilin <Wang.Guilin=40huawei.com@dmarc.ietf.org>, Daniel Apon <dapon.crypto@gmail.com>
Thread-Topic: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
Thread-Index: AdzcWilmdXYp9vXbTM6G/jNKVn3cSAAEVDj/
Date: Tue, 05 May 2026 08:52:15 +0000
Message-ID: <AS4PR07MB882563A2B30F8F7AA1CBA875893E2@AS4PR07MB8825.eurprd07.prod.outlook.com>
References: <4f5e186e2be445279b2aa4088dea3e66@huawei.com>
In-Reply-To: <4f5e186e2be445279b2aa4088dea3e66@huawei.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8825:EE_|VI1PR07MB6592:EE_
x-ms-office365-filtering-correlation-id: bbb757cd-44c0-4f10-d0a3-08deaa839b67
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|366016|376014|1800799024|56012099003|22082099003|18002099003|38070700021|13003099007|8096899003;
x-microsoft-antispam-message-info: GQhBTr+T9cJu82OjqJaE0GELbmCBzTAjqv6IYwRw5XxZaFvm3QGM0eDUPO0WmDyklQP5UDn2quCuBhSjur9sHOlNE5tjMkCHgnyeF3666JbKwS9KLGwPNKK21PEcSPdtZiYTIR+KSln/3bBkN30y9nCXUYhNKWfcyJ7AvTsju6Ffxr777Y7trMdook+4rFkC9eIwHEoqn6umjy90oZjIb7iIL5Ye7Boe7tdbR7RuibHDRvWd7W/yz530oWf9kbu5mms9s3UejPO+6/e2WTDPmpx4/wP1yg6M/rBNPU5IAEfO5kJeoSzkcaCuC5R6y+pneK8Y3DDTBJmCqUPGtWCdZdivcX/gGxBH9deCeygIcpagf5ZHShJe+ZjGXz0l4YREzgOPsByP7q9GIrM5ZrGPVl941Gtb2yJ2vUdE66KUql97owXgEcK+2rzi7EuHvD6N1G54tAshgdNW+v+hs1MPAQ6Yh08h5dp1W+PboeyV6hny+qzxpe32G4bbX2jmJ7MMV+ziLYFkDbKEkbM2zWWfsWXKtDP8agygMz90M4FhL/PKo2CBGq4/IusOSEWEtQe4DGiojb4r/LQHHbcI71pfepWwpOu1q355l9p2ZW+HkYPUhfIdQfphy9pgd1pukvHO8BBPmUjdX3SqFsP72TrrzWvKb7PUubVulCQUj/JCiPnFyOZs5uLAPvVExH0P9VnbMIU/rvRL5ijB5/sNPy2WVw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8825.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(366016)(376014)(1800799024)(56012099003)(22082099003)(18002099003)(38070700021)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZPoR5OrhODYqkv/bfUPrOznXZR/S0k+iFMOK0vu5s/aTa3bK3MYLWulsriGWr6y6KvSZ/MTW7mWFhpmbzUuZjzLn/MUC9COyP6MKF0Oy+ra4tE7+0WPQcZiKbaqqDrZC6wyzKc7b8KVIz+kk9fVVzQt/kLCu4simJeVPPn1C7yzEmr6WWOccPueS8Ul/rmfEbWJZx86lxBlgEu8dR69LVVQlP6kjjsEibpP7ziJX5q2ACC1CV5Fqc+SYexrAYOI2wICsBqH1ww1f8GEGvUshPB2BMp5B7FqH6+e70EjqG9/zRBtcQtk/TgwA6+xButlmC83HyPc9CtiL3d7iaqRUcxe+d6Vpu0sgwyRp1xddBhpU3HfkXg1QUfWEn8cob8e+1dOj4AGgLChViAL1qxcDAs6FNsycFM4P56b47pW3V9FILcmQKTupjuZnjlhNlEhmBO8mUCBCTKFzXx1XzfgJvL1IEvlJBs3rbKBlDcgxPz+UI0woetklhfD6owtixPV4iThv4kgfDxS4tGFskwBxf5a5CiFX1b8sJM0K1DDYTvckYIAQ3f7QaIkzi3PnOj9pF7Xie7sfyfDl6s3SjrJPoiOoI6qc16QfG/8HDTBgDg8VfVYlBYQVomJjhKi+mGGvThDIixYNFAi3BwXD/BZPXtVL5pOAZMejpbGtpFxSSyqw8GdE8laheCt2nssq4S6ld71D3AkUE6ZPeWg6+ZKQxCjQJUSI7f18S811oq/VF5p7QXBzsqntXGKpzoj3//Jb0DYceC3Q8wXeQRnD1pJc4uSZztTApDHQfOu96Eoqpdaf5DiaP4ZP/+py22pJkErdNBzNbOgwm4R7aWFmyTKeL61TSiurkxgFOJNO3Gb4Z5NRooaQKn3nRSB5n1qN4Qwfjlgd3KxgoWy9P8vvkI7s7hUHLYD34m4LOGeHBsU7sLfaf4a/T5Ill12xicyzrg64wb1YDT450lOfj6uw95dPGJSXOPgYcDawFohwgPW+sLt8JaUyWGBRDK9iYmCh07uQjQDEWr7H+O4b2cC+qH0OYjgP3UYnhEfZjgK1bD5n3Gxi2JzpH3qc7DgXY1DzB8a7MR8SQgAV1wT3FChAYhxVWk2NnIIkKnh7HzT7eLNWYrEWhXK3sGcZSO1VK+5hwqTNSlmUvErXaZx9exmAcMSw9XmcaGR5ZEJXkxVGNvJGL9ORDQ8ZiM9wF4ijstUMlOXq8ffW5YOqdbvD5v9Nl+ExN7Rb4RVzAInCQ4MTFjXI91x758H0eN2uKdz0TCA11iuoMupq6fsdhkzCQbzPsahjXJ0RJqqu47adARTg/cjgi4Y8edfwTpEzgf3MMaF9uEoUVhtCd/UuA0BuajE0Ew49v4AdbcWINlJPfWsDKENw43cjmYpMmf0uHkoSPcp7wSX0WDAlXQNyllnn6hq6gw5z7a/Yit+ipqdxIDIv7T4P2OIzW1JVfxSXQxWdE8BukrG2n/C0jDY5iTV7Z+YU3+3t9FQanrOG6WogBap2hNPRhEWacDqotHwS/3VBuCmkRTBNYTjz6GO+B59jD/mN6vzn+uOlW3+gcwYIE1VmGxAwV1Quw/XO6bgoDPewo4zLNy3+Xl2edjllBaGFeGfEhhU+BAhhLONy9ETfjbZp3T7v4+8XE3ZYTflePnYXnKTgECQnhK2UhTDkkM0wQgOzOM2aqyl4d8SGqZhTmk2nBILYtBVn7sQIpAVutd5ly+aWsw+XVbS6go4zG6K7L6nKCCC8v8Gr321bGYdY9CatQRA7Svc=
Content-Type: multipart/alternative; boundary="_000_AS4PR07MB882563A2B30F8F7AA1CBA875893E2AS4PR07MB8825eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bbb757cd-44c0-4f10-d0a3-08deaa839b67
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2026 08:52:15.7278 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: r1lcy6YVjS2ycxD9Hx3zsBXSJ7G741FYmoyHoP/Z92Q5damd1ZIC8FwFvyEIndaHw75rP6cWG07lKi9o9CgTqu/mRmQpiLjv1R0FXwNbGnw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6592
Message-ID-Hash: CDA6RXB5DMRBMVBV3J56VZCAFZELLGAL
X-Message-ID-Hash: CDA6RXB5DMRBMVBV3J56VZCAFZELLGAL
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, TLS List <tls@ietf.org>, Wang Guilin <Wang.Guilin@huawei.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NBpakhH6CacOxcogTuH_GjVGXug>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

>Use Dilithium in a so-called hybrid mode in combination with an established "pre-quantum" signature scheme

As seen by “Dilithium is one of the candidate algorithms”, this was written a very long-time ago. I think most people agree that if you use non-standardized cryptography at all, use it in a hybrid mode”.

Cheers,
John Preuß Mattson

From: Wang Guilin <Wang.Guilin=40huawei.com@dmarc.ietf.org>
Date: Tuesday, 5 May 2026 at 08:59
To: Daniel Apon <dapon.crypto@gmail.com>
Cc: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; TLS List <tls@ietf.org>; Wang Guilin <Wang.Guilin@huawei.com>
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Hi, Daniel,

Thanks for all of these as the background info about SIKE and more.

Yes, I do agree with you on that SIKE is a special/rare case. It does not imply that a similar case will happen for standardized PQ algorithms.

My feeling is, cryptographers may support more to use hybrid.


  1.  https://mailarchive.ietf.org/arch/msg/tls/hrHO5ZppEy8EgP3w1V8kdM9GxaI/
  2.  Recommendation from the Authors of Dilithium /MLDSA: "Use Dilithium in a so-called hybrid mode in combination with an established "pre-quantum" signature scheme." https://pq-crystals.org/dilithium/

Also, some users may prefer conservative migration.

So, it will be great if both specifications can go through adoption and get published soon. It will be customers’ choices to either or even both of them.

Cheers,

Guilin

From: Daniel Apon <dapon.crypto@gmail.com>
Sent: Tuesday, 5 May 2026 12:32 pm
To: Wang Guilin <Wang.Guilin@huawei.com>
Cc: Jacob Appelbaum <jacob@appelbaum.net>; Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; TLS List <tls@ietf.org>
Subject: Re: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

P.S. By contrast, the Yao Class has attempted similar "gotcha results" against lattice-based cryptography, and failed repeatedly.

i) https://eprint.iacr.org/2024/555.pdf
ii) https://arxiv.org/pdf/2509.12341v7

On Tue, May 5, 2026 at 12:18 AM Daniel Apon <dapon.crypto@gmail.com<mailto:dapon.crypto@gmail.com>> wrote:
In particular -- just for emphasis on the process working as intended:

NIST publicly awarded Craig Costello from Microsoft Research (one of the key co-authors of SIKE) the (only) Best Talk Award from the NIST PQC Conferences, for putting money on the line for attacks against SIKE.
It was incredibly important at the time to highlight additional focused cryptanalysis on isogeny-based cryptography (and SIKE in particular), which had gone relatively unexplored throughout the process up to that point.

See https://csrc.nist.gov/events/2021/third-pqc-standardization-conference

Best Talk Award
The Case for SIKE: A Decade of the Supersingular Isogeny Problem

On Tue, May 5, 2026 at 12:13 AM Daniel Apon <dapon.crypto@gmail.com<mailto:dapon.crypto@gmail.com>> wrote:
Hi Guilin,

You wrote:
"I guess here stresses on improving security strength via using larger parameters or key sizes, but hybrid approach concerns more about the consequence in case  the only pure PQ algorithm is fundamentally flawed (as what happened to SIKE) or some breakthrough cryptanalysis surpasses the security margin. Below is the link for our recent discussions in TLS WG mailing list on the almost same topic.

  https://mailarchive.ietf.org/arch/msg/tls/5GiyxhMA7rhvR73tKrnRd8ZeOK8/"

Yes, it is clear what the hybrid approach is. I also support both pure-PQC and hybrid approaches; they should be available, in standard, to anyone.

But as I mentioned before on this WG mailing list, this lesson "from SIKE" -- so easily stated -- that PQC algorithms may be fundamentally flawed, is incredibly technically imprecise.

SIKE's mathematics had a significantly higher barrier-to-entry for the corpus of PQC researchers to understand it, properly analyze it, and speak about it broadly.
At the end of NIST PQC Round 3, SIKE was adjudicated by NIST as having not received sufficient study, which is why it was moved into a 4th Round (as a unique object).
Lo and behold-- with some additional study and focus, there was a break. This was a success of the process itself; not a weakness of PQC algorithms.

This is a distinct and opposite case from the study of the concrete security of noisy linear codes (both lattice-based and code-based). While 3 code-based schemes were moved on past the 3rd round (HQC, BIKE, and Classic McEliece), these schemes had outstanding issues between them that hadn't resolved yet (BIKE's decryption failure analysis, Classic McEliece's syzygy security and high practical cost of large PKs, and HQC's larger costs vs BIKE). These issues were significantly more mature and specialized than the technical situation with SIKE.

By contrast to SIKE (which was eventually broken outright within a quick sequence of works), many orders of magnitude of technical research works have gone into the study of cryptanalysis of noise linear systems. It's just not a good parallel to draw.


On Mon, May 4, 2026 at 11:56 PM Wang Guilin <Wang.Guilin@huawei.com<mailto:Wang.Guilin@huawei.com>> wrote:
For me, as stated previously, I support the use of ML-DSA and also composite ML-DSA in TLS 1.3.

(For the latter case, yes, the number of composites may need to be reduced from 13 to a few, as several other experts mentioned. )

I do not understand the underlying logic about “defines A is not the place for an A compared-to B comparison”. As both A and B are two apparent approaches to solve the same problem, the authors, the readers and the future implementers all know this. How can we just ignore this issue in a specification as if B were not existing?

Yes, comprehensive comparison with (rough) consensus seems very hard to achieve, but some middle ground or neutral wordings are also helpful for the readers. In the simplest (also the worst?) case, at least the specification can say and refer to approach B, I think.

>Two hard problems at X-bit security, broken independently, should take 2*2^X = 2^{X+1} work.
> One hard problem at 2X-bit security should take 2^{2X} work.

I guess here stresses on improving security strength via using larger parameters or key sizes, but hybrid approach concerns more about the consequence in case  the only pure PQ algorithm is fundamentally flawed (as what happened to SIKE) or some breakthrough cryptanalysis surpasses the security margin. Below is the link for our recent discussions in TLS WG mailing list on the almost same topic.

  https://mailarchive.ietf.org/arch/msg/tls/5GiyxhMA7rhvR73tKrnRd8ZeOK8/

Cheers,

Guilin





From: Daniel Apon <dapon.crypto@gmail.com<mailto:dapon.crypto@gmail.com>>
Sent: Tuesday, 5 May 2026 9:47 am
To: Jacob Appelbaum <jacob@appelbaum.net<mailto:jacob@appelbaum.net>>
Cc: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>; TLS List <tls@ietf.org<mailto:tls@ietf.org>>
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Hi Jacob,

You wrote:
"When better is defined as "two hard problems are more secure than one
maybe hard problem""

This is neither standard nor textbook in complexity theory.

Two hard problems at X-bit security, broken independently, should take 2*2^X = 2^{X+1} work.
One hard problem at 2X-bit security should take 2^{2X} work.

If you want to increase security, you should increase parameter sizes.
Or, you should have chimed in on the security of the hard problem a decade ago when it was being discussed internationally.

==========

In response to:
"a document that defines A is not the place for an A compared-to B comparison"
You wrote:
" Where should it go if not there?"

My answer is here. Resolve that here, in this conversation. Not in a long-lived document.

==========

I believe I agree with Rich and Uri in this conversation.

Moreover, I do not think both a "Why hybrids?" and a "Why not hybrids?" section being added addressing any of my concerns; in fact, I believe it only makes shoving worse -- by shoving controversy and various arguable opinions into a standard.
The standard should stand on its own standard legstands.

--Daniel

On Mon, May 4, 2026 at 9:52 AM Jacob Appelbaum <jacob@appelbaum.net<mailto:jacob@appelbaum.net>> wrote:
Hi Rich,

On 5/4/26 15:00, Salz, Rich wrote:
> * I had sincerely proposed what I believe is a good middle ground to
> move on. WG is free to trash my proposal.
>
> Okay then.  Your proposal is not a middle ground.

What are the sides from your perspective and what would be a middle
ground if not this?

 > It says that hybrids are better.

When better is defined as "two hard problems are more secure than one
maybe hard problem" or "one new failure cannot result in a practical
break of the protocol" then it follows that hybrids are better.

If we're not talking about "better" in the context of security but byte
overhead or energy efficiency, then we'd need some other definitions for
the word better, I suppose.

>
> I still maintain that a document that defines A is not the place for
> an A compared-to B comparison.

Where should it go if not there?

If it should go somewhere else, would a reference to that other place
also be wrong?

> From the mailing list traffic, several other long-timers agree with that.
>
This reads as an appeal to authority over a reasonable analysis that is
related to Usama's formal proof. I do not find it compelling and it
appears as dismissive to Usama's efforts. What's the constructive
counter proposal other than writing as if hybrids don't exist or that
PQC without a hybrid construction isn't a novel risk?

Long-timers can be wrong and given the Dual_EC history and various
related drafts, they might even be wrong twice for the concerns raised
by Usama and others.

Kind regards,
Jacob Appelbaum

_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>