IETF Logo Mail Archive

[TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Filippo Valsorda <filippo@ml.filippo.io> Wed, 03 June 2026 09:08 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 04716F9E9CA2; Wed, 3 Jun 2026 02:08:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780477686; bh=nEnTyi++OQ7ZXgfJhyV9F0HGbewp0rVwZVaHnk1Hy5A=; h=Date:From:To:In-Reply-To:References:Subject; b=agKhcF/E+4GN9pSMTxxrxo7+0nQ19cwfZcI9PjifMfYZlvaq97WlQbKpKC4Vuw8ZZ K3olOXvfSS1XXPVFz0BT9+sd10pU3yDzmb1UwNI1NKTicreLKQZ4WElsUPulBE43DZ 5WwjBb4B/4WXaXgzyp0D9oLAyARB+pdbENR5lHE0=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b="Frjc6C+i"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Z9RB0wT2"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjoUY-vnbufx; Wed, 3 Jun 2026 02:08:03 -0700 (PDT)
Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 32E75F9E9C95; Wed, 3 Jun 2026 02:08:03 -0700 (PDT)
Received: from phl-compute-09.internal (phl-compute-09.internal [10.202.2.49]) by mailfhigh.phl.internal (Postfix) with ESMTP id 1F41F1400130; Wed, 3 Jun 2026 05:08:03 -0400 (EDT)
Received: from phl-imap-09 ([10.202.2.99]) by phl-compute-09.internal (MEProxy); Wed, 03 Jun 2026 05:08:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1780477683; x=1780564083; bh=nEnTyi++OQ 7ZXgfJhyV9F0HGbewp0rVwZVaHnk1Hy5A=; b=Frjc6C+iQv9bLmE8Kmm+C3/j44 06GSlfhgG4le/cjRwDT5E7wmKLLum5NJMlluTnEgvy9aORJ+OoNUWExueauvrylW 8jtA3gQTmB1BhahwfWAIL20g1q8U3JiJSj9pIZJQvthnk7EL3SfkRoMPOXekQ6Zw m5EdyfHVlpbPPzJ9RISYqjOdgI0mvnMKzKiy8Bz57PqU92LEUUkg2oqmdOukzI68 H5UsFH09LOpYvQg67BbxcO+HkGVjyiGWGFt14oR8Jz1wJv/Vm7L9/2h7b9FYEdbu ntaiTXcLMtA1No7rKZp2CCdXsDfadsvAFYmgCp40r7BpRbPgA/nxi1hzodhA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1780477683; x=1780564083; bh=nEnTyi++OQ7ZXgfJhyV9F0HGbewp0rVwZVa Hnk1Hy5A=; b=Z9RB0wT2nt8eKhrrBV/8cFR+hofBZevt7JnQ4rh+Sye+BShSAKP WDKcbed8WPqomYLxKYQw+MNj5oiX0NvHTnzpQb6KLCPDF6VWFlK94Hnif1ilM9Jj Kav9JmS6FR5usp3ac+16Y2FI3fww7tPJYBnfk/MbQlaka5kVoiL8QMcwaa/g/b1j 2ekOQNFt4pJcuxursGO6iqER44vbRmSgu0VYpkVdlnyiGn89OE1jtBjvcBWv44F3 jakEr0CKCX5ZE02rdUQynziJxna79wtugH4oq663GmENmQKeK7ZMPwK7ARPbw/Xb N1/GMe/dE4INoSm8NEPgWgeP2Ue5V07o2UQ==
X-ME-Sender: <xms:8u4fan-RZg9ESvCbehREWte_7livpi8AzUqN32ANB_V3eCqyV5i09g> <xme:8u4faujgBtRlfxHBebfxX235yYbAp3MoI-_ORCaMH6UQQp4ZTJZVEGHcUgfQxXOZN vyYEpsIhOnCYnPBdQGAIP7OoA0SPWadSodmAqpuhNwp91uGFWbwtg>
X-ME-Proxy-Cause: dmFkZTFZb1X99oQ6pmpZ2IiA2/fzeLEpboEBZC/bzkyIkjoeFaPD4bKep0CEV+jvrlToQ7 5Gkk7Xt7uMDtU2QnOaEe/hgMs9tvHwVRXK6q+W4GSJMY4dd9Rkzjlj8n2A3XxIW2PRKaUC aXkbC4Bg/HvEro1bczT9OZQ31q+cLX2xRFkx7yz7PXjcukXFhaXdwHiPpP+PEVKC8Ft1L2 w8f7GJvtCaHd6MU9qNCL91cc+uxfqkqLaTfb+kG05faF8g5N6uCDd61kAotSbcxEUvBEEF uwNOLXqi47vJen1hatqlNl0ntiZq9Vizd+XXFnasCiPl2qyHTDMWUt0xS5OuU8VqU7zYiq qxXd4EqWs+6q8heXRqazXLFiawr5gz8lVIi6Yc8n3sZ//v6gu9DK+1UyNjHfU6F+c6lZ5T tdVPz0ebId6KCwC/fsNqlntdM/a89wU33eMejAoi3xpuWMGamH9G70UMWSM46VKnnMN7wE 0AK66i+dQGj4puBiUPfvnlpOvz4rI/vNjxtHSwOMHpRPe2iLyCUfts1Rlm0ChQNh2zaljU piNJgl4W2ABcHjsN5PrzhY45IRImappUgkCIrWMs5zMPDS0oEhk8kDEZfTqVjdhQJQ23qX e4HRB1loBhusyw7Oaza/9joPJI3cvrEMm1LV4uhlgWg52jYFOsuCb3VJ8slg
X-ME-Proxy: <xmx:8u4fap46R_YRe1X82x9fIcRQ2TtfdHHF_uQPP3SopzM8bXYdxk2rQA> <xmx:8u4faupscNE4_Guvhyc2Dqj-Q4Iq3cE-b33rZBgDLzA6ZmH3ve9aJA> <xmx:8u4fajgX0uw-PyMuR1ne-UoevG2A6qoV6k985KwQ89e3MGcdKL5SyA> <xmx:8u4fagK0gZg_XNUTo9pXRBSZMddZWC5_voS_36skr0v6WIC9KUTOig> <xmx:8-4falitRUtZ9qt78qSz5Yzbe1S-QRXI8gR75yGMvlCo2yGot7reaceD>
Feedback-ID: i2e91459c:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id BE61F3020094; Wed, 3 Jun 2026 05:08:02 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AfKUvwr66x4F
Date: Wed, 03 Jun 2026 11:07:28 +0200
From: Filippo Valsorda <filippo@ml.filippo.io>
To: "D. J. Bernstein" <djb@cr.yp.to>, tls@ietf.org, last-call@ietf.org
Message-Id: <cffaa2fb-a82a-4bef-b333-51d7ee90ec6c@app.fastmail.com>
In-Reply-To: <20260602210527.2289933.qmail@cr.yp.to>
References: <20260602210527.2289933.qmail@cr.yp.to>
Content-Type: multipart/alternative; boundary="5ac4249472dd3f00c4ef0b7b7c488d39b2fab144"
Message-ID-Hash: X6TH3PMGBNJLNQ7MXNRPYZYRLLJUMDVV
X-Message-ID-Hash: X6TH3PMGBNJLNQ7MXNRPYZYRLLJUMDVV
X-MailFrom: filippo@ml.filippo.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iDPFnBDE-mA6Ojii6xI9ODzerr4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

2026-06-02 23:05 GMT+02:00 D. J. Bernstein <djb@cr.yp.to>:
> Filippo Valsorda writes:
> > These bugs are so easy to find
> 
> The CVE-2026-24850 bug [...]
> 
> The CVE-2026-22705 timing leak [...]
> 
> The CVE-2026-41990 bug [...]
> 
> The "previous" vs. "current" bug [...]

>From your paper:

> I’m counting vulnerabilities as severe only if the attacker can quickly forge signatures on new attacker-chosen messages.

>From my reply:

> Bernstein looks for severe bugs in ML-DSA implementations, and only finds one in a *2017* implementation of Dilithium 1.0, and then *invents* three bugs that resemble it. All four would be found by running *any* KATs for *any signing interface*, including the high-level non-internal deterministic signing one.

Those are not severe bugs. So yes, only one real and three imagined severe bugs, all easy to find by doing any testing at all.

> Both of the official Dilithium 1.0 implementations submitted to NIST
> were vulnerable (and, as my paper shows for an analogous bug in
> Dilithium 3.4 = ML-DSA, exploitable in under 1 second on 1 core). This
> bug was so easy to find: just check KATs against a Python translation of
> the spec. So why wasn't it found before release?

Easy: because in 2017 Dilithium 1.0 was research software that ~no one in industry cared about, other implementations didn't exist, nor did KATs.

> Et cetera. My paper is looking at the real world, not at some fantasy
> world [...]

All the severe bugs in the paper that affect ML-DSA software (as opposed to the Dilithium 1.0 submission in 2017) are fantasy bugs.

> [...] My paper also looks much more
> closely at some structural aspects of ML-DSA software that make a wide
> range of ML-DSA bugs likely to evade typical tests. The word "typical"
> is important; again, saying that better tests exist misses the point.

I guess we disagree on what testing is typical. Adding ≥ 1 readily available known-answer test for a high-level deterministic function is in my opinion typical in cryptography engineering, but I acknowledge that you seemed confused by how to apply the (seed, public key, message, µ, signature) Wycheproof test vectors to your implementation.

Here is a Sage script that applies the very first test vector of mldsa_KL_sign_seed_test.json to find both bugs in your implementation. It uses the randombytes() hook you are fond of and the external standard randomized interface, instead of the deterministic interface I tend to prefer. It also tests key generation, despite "the nonexistent ML-DSA keygen tests in [Project Wycheproof]."

https://gist.github.com/FiloSottile/5fa77f87543830a068d400a83d9bcb57

I don't expect this will convince you, but hopefully it will reassure others who might be genuinely concerned about the testability of ML-DSA.

v2.46.0 | Report a Bug | By Email | System Status