IETF Logo Mail Archive

[TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Nadim Kobeissi <nadim@symbolic.software> Tue, 02 June 2026 19:41 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2EE23F987D74; Tue, 2 Jun 2026 12:41:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780429309; bh=fHfJI0XUP7m4qQLVuyktPHCFkrdPBuDzBIvI8iApF3M=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=rlJWsaHbXzcdxEkrBYpUN0uRUu0/JFeGb6oevT3SgEq+FQfk3b+6ayaNtOdM8/Jh2 oq1tdEW/QY9iDSpWYmjvBPHxbnbxn8YKEDcJLZARHeHuZN7gCp64V8r9bN5PONY2fk OChpkqjigewnBv5be0ZL7y9ImHz+qNe9E/X5Wedw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="b7iP8hUw"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="JLmJKNLd"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAHq0lmyIqft; Tue, 2 Jun 2026 12:41:46 -0700 (PDT)
Received: from fout-b1-smtp.messagingengine.com (fout-b1-smtp.messagingengine.com [202.12.124.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BB307F987CD6; Tue, 2 Jun 2026 12:41:46 -0700 (PDT)
Received: from phl-compute-01.internal (phl-compute-01.internal [10.202.2.41]) by mailfout.stl.internal (Postfix) with ESMTP id C35081D0010A; Tue, 2 Jun 2026 15:41:39 -0400 (EDT)
Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-01.internal (MEProxy); Tue, 02 Jun 2026 15:41:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1780429299; x=1780515699; bh=VGzq1kQT8s9+jz3SF1/3B3j5QGASiXHhCemy3Ucp5ig=; b= b7iP8hUw5BrIJx4KnyfeU5Inj2J2w6AzZqW+KmVjXBmINedER9Iy7QIjecool0GL LzsRV5gX4BSkUI0jWwMgjBOAX1KprqSRd2Yz2mn7d7/4tINsX1VlczhzA1w7U8X9 rG6YnmznLXvqqkqNvCogEp3j2WIYcYVFux0ATm9Bu8svRE0EX87Vdxa6/WOAfs0X flvo89iC67vhLSVRfDzIS6iI7RPPU9E3NfrwevMDQIK4QYWag0sjY7QFUV+cCZ9S kONTVpj1f5ojCN+Ng2FWGqEpAVSJtCuS1uDygkkYGm+ii8sJlsihzMMwCPQYozuZ pUfNbaef7TQ3Jw/pr2v5sw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1780429299; x=1780515699; bh=VGzq1kQT8s9+jz3SF1/3B3j5QGASiXHhCem y3Ucp5ig=; b=JLmJKNLd1FWZ55YNz4uwoZzQQLmQH/xNejIHunTUaEBiWZCXc0x qkxxQ/YjzaTsRZ834ektTsjalp5yhxLsONulWcHUT8TyYNRIBAf5XN93GFaYDca5 6HLOOyq/QCg9OZUiU17O8MWXDtdWdjETYEWt8doVMU581vM95t9S903n47/SePaG Cj3Vt/G+dX0nMQ5jQmYW8tJewQJ3JSOsM0IgFUqVGGrjgpPnTWbFAdPPv5kUa3XK wfvcvGJJSKqHpxEN3ZGkY6QJQk9fPTfuxDbmgtNQs7t+/mkGBmrm81dYFQBsT3OP H4c1QNKcTx7oQegY9yDhnaYDtlnAoXOuQrA==
X-ME-Sender: <xms:8zEfanoMNIqaIivmFya9PP05jE3qcg0Z4khMNrPLK_NPKuIw9T1FAw> <xme:8zEfaqlF0-t4cFty-evd-kDWlm-X_Bc2S3Ta9Zr0KzH065dadiu9KfQMTh5NmnCtS btz6Kn05Dza0s0XbZ0V9oJF1N1DYXL4ePbwLWaQgajbZHGQXZ1vrJdx>
X-ME-Received: <xmr:8zEfavzGj1UokgMF_6y1raHsWMldERR3nJXjeAcmYdC9wKhbJASLDfYyqRk2yGuc-NGtg7RrUrPGpQ02F1XdIDS70Y968Y7ymkuzhsAyDg-2pklNn5_m2fKfVw>
X-ME-Proxy-Cause: dmFkZTGo23sVJKuVXgIFqa2Nrg9KrkDtjNOzEQ4+OCW22/+0U+TZFQInLNTBEN+qxVWzVD qxT6CwrzDIZC3YGYHdjQdBP24yF1ui9etgL3cTFGh2HZANPI2g2YjokUIv0Rn4pRgaxqYQ lOeBDL6N9ZWqpYtWRafK/4dXUFi2/frRjrXPTL4rl34SDEc58v0YiAvXAn6HtQt0RxXv7Q pOHdC8LIi6nEeCN0eOV50/6bSClV6PzWWOhly+rHWfoKSXFCz66ehQc74+womtjYBzqDp+ vU9ld+0P0M3UbajW3KOtDde0S73Ubr5r+hfVNIM0rXLHhX3nZvRC9CuVvLkorpmXGo7crq /OlvHflpVH0zuIwOa3DWuwzYSfdKb+SzptftdaMnFlg/NrMyBsp+DaKgYFihgcnHvSyDC/ NesFif+S6KsrDnRenWs4IA6bIyJcRvBmvlvnFh7M/ZLsmLFIgTxpeo1EPkuTrjAdlImi3u CehjdKZc41xIDiKaLQmkrwb4FVNGDY9KeTjeZ7xWE6zNyGQJ1lW83oQFcwXABw3lDWFwCF zTyvJ+9879IK4hIymFfGGKk9hgWJ4x5hpNS2+IdIQrixZP16PSRkau6BqZqVJADEvLMQI+ P5ssncYNCnorj4e/UDBxzAyoRh3MzQLb4VS3juyZepBSCUCNDEMydSlKC6iQ
X-ME-Proxy: <xmx:8zEfaq9iv4qJINNkMVO7AdFEofsa8dSMITwwP4HPtWdVSVL8HV5a3Q> <xmx:8zEfajKZPQrzymHYSNai8Uf4k-XY2vP5j2xg9-d9IKoblRojwizSPg> <xmx:8zEfageW4i3MoI-7X7MisvtNeUQQNIOC4PHLi0jsf8n3NpQpO_pxVw> <xmx:8zEfai_6LeNHC6PRV3aUynmNaRR7hedJaNmIgdJtPLzKklXKGaRDCw> <xmx:8zEfamvUN346z2rKx2udiwQfY03rDIZ3X3E3LVlT8LikMOQFY82WpNFC>
Feedback-ID: i6d3949ed:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 2 Jun 2026 15:41:38 -0400 (EDT)
From: Nadim Kobeissi <nadim@symbolic.software>
Message-Id: <6E0AD0BA-4694-4AC2-86BC-4282EB1FBED2@symbolic.software>
Content-Type: multipart/alternative; boundary="Apple-Mail=_957D264C-7C33-4370-85B4-27B308B3E683"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\))
Date: Tue, 02 Jun 2026 21:41:38 +0200
In-Reply-To: <20B1661B-4CF8-45D6-970E-31C63AFC8D44@symbolic.software>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
References: <20260601204245.2216938.qmail@cr.yp.to> <767067D3-A1FF-452D-B1BE-76B412E75052@vigilsec.com> <85821685-f12a-41e2-a136-3b068647b7f7@app.fastmail.com> <CAEEbLAYUFWndaF8UL+=wV1c3Zv0jjZrdmB1T+40bcYphZYdLuw@mail.gmail.com> <AS4PR07MB8825636233B2380395F9D4B589122@AS4PR07MB8825.eurprd07.prod.outlook.com> <20B1661B-4CF8-45D6-970E-31C63AFC8D44@symbolic.software>
X-Mailer: Apple Mail (2.3864.600.51.1.1)
Message-ID-Hash: 7PS2EKYUBWLFNEQWP6LHXHVY676ZMMDU
X-Message-ID-Hash: 7PS2EKYUBWLFNEQWP6LHXHVY676ZMMDU
X-MailFrom: nadim@symbolic.software
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, IETF TLS <tls@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qNxfxOw5vMI5wVydUK-7C2M0QX0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

(ML-DSA, not ML-KEM, obviously. Sorry.)

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 2 Jun 2026, at 9:41 PM, Nadim Kobeissi <nadim@symbolic.software> wrote:
> 
> *Pinches bridge of nose, exhales through teeth* I agree with Filippo.
> 
> But seriously, I think the level of vitriol is getting off the charts, and it’s (again) sad to see because Dr. Bernstein is an inspiring scientist with a wonderful track record, and I wish people would stop dragging him through the mud like this.
> 
> But he’s wrong here. The best way to address these potential issues in ML-KEM is through improved known-answer tests and other such testing methodologies:
> 
> https://github.com/C2SP/wycheproof/pull/242
> 
> Sophie’s email is very much on point, too.
> 
> Come on, guys, it’s just a signature scheme. Let’s all be nice!
> 
> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
> 
>> On 2 Jun 2026, at 9:05 PM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
>> 
>> Agree with Filippo and Sophie. I do not think the IESG should take any action based on this paper. It does not present anything that has not already been discussed publicly. ML-DSA is clearly a much better algorithm than ECDSA and EdDSA. If the IETF were to recommend anything, it could be the use of a higher security level, but ML-DSA-44 already provides a substantial security margin when used in end-entity certificates. For long-term roots of trust, I would use standalone SLH-DSA.
>> 
>> Well-designed and properly implemented hybrid schemes can provide clear benefits. However, while X25519MLKEM768 is both cryptographically sound and widely implemented, there is currently nothing even close to mature for hybrid signatures in TLS. Several TLS libraries have stated on the TLS mailing list that they will not implement draft-ietf-lamps-pq-composite-sigs. Ericsson can be added to that list: we will not support draft-ietf-lamps-pq-composite-sigs in any of our libraries, products, or services. In our view, draft-ietf-lamps-pq-composite-sigs is neither technically nor legally deployable. This should not be interpreted as opposition to hybrid approaches in general. We strongly support X25519MLKEM768 and have implemented our own non-composite hybrid signature solutions for other use cases.
>> 
>> I wish that those in academia advocating hybrid signatures had spent some effort producing technically sound and deployable hybrid specifications, rather than devoting enormous amounts of time slowing the urgently needed PQC migration in industry.
>> 
>> While Bernstein focuses on implementation errors in untested reference code from 2017, and one can speculate about future attacks on ML-DSA, we at Ericsson have already encountered multiple real-world vulnerabilities in hybrid signature systems that vendors have attempted to sell to us. Hybrid signatures are not automatically better. In fact, it is trivial to see that draft-ietf-lamps-pq-composite-sigs sacrifices several important security properties of ML-DSA (non-malleability and BUF), properties whose absence from traditional signatures has contributed to significant practical vulnerabilities in the past.
>> 
>> Moreover, the objective of draft-ietf-lamps-pq-composite-sigs is _not_ to increase security, it is to allow vendors to market FIPS-validated RSA and ECDSA as "quantum-resistant" even when only the quantum-vulnerable component has been validated. This is, at best, a highly questionable business practice and should not be endorsed by the IETF in any way.
>> 
>> Cheers,
>> John Preuß Mattsson
>> 
>> From: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>
>> Date: Tuesday, 2 June 2026 at 19:59
>> To: Filippo Valsorda <filippo@ml.filippo.io>
>> Cc: IETF TLS <tls@ietf.org>; last-call@ietf.org <last-call@ietf.org>
>> Subject: [TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
>> 
>> Note that the described vulnerabilities are due to the usage of the Fiat-Shamir transform and are shared by all constructions that use the Fiat-Shamir transform as well as ECDSA, which is similar, but legally distinct from Fiat-Shamir. ML-DSA is actually the most hardened version of this transform, using both entropy stored in the private key with the message as well as externally supplied entropy for computing its witness. This is why djb has to reach deep into the implementation and invent a fault at rhoprimeprime, while much easier to trigger faults exist in EdDSA (simply supplying an inconsistent public and private key to an implementation is enough to trigger the fault there). Unless we have similar warnings for ECDSA and EdDSA, I would not bother with adding them. This behavior is well known and covered by test vectors, for all Fiat-Shamir variants I'm aware of.
>> 
>> On Tue, Jun 2, 2026 at 10:38 AM Filippo Valsorda <filippo@ml.filippo.io <mailto:filippo@ml.filippo.io>> wrote:
>> 2026-06-02 16:23 GMT+02:00 Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>:
>> With the notice that you attached to this note, it cannot be used to improve the Security Considerations of draft-ietf-tls-mldsa-03.  As such, this is very unhelpful.
>> 
>> There is no need anyway.
>> 
>> Bernstein looks for severe bugs in ML-DSA implementations, and only finds one in a 2017 implementation of Dilithium 1.0, and then invents three bugs that resemble it. All four would be found by running any KATs for any signing interface, including the high-level non-internal deterministic signing one.
>> 
>> This paper could have been a few uninteresting entries in a muzoo <https://github.com/FiloSottile/mostly-harmless/tree/main/muzoo> mutations folder.
>> 
>> Some of the surrounding 50 pages of stuff make claims that are at best confused and at worst intentionally obtuse. For example on page 15 he claims he can't see how to use a test vector that provides (seed, public key, message, µ, signature) <https://github.com/C2SP/wycheproof/blob/878e5366008753df2064d40c49f8e2f50f9c6af7/testvectors_v1/mldsa_44_sign_seed_test.json> to test a signing interface that does (seed, message) => (signature) or a key generation interface that does (seed) => (public key). These misunderstanding seem to mislead other parts of the paper such as claiming a trivially-caught bug "can’t be caught by the nonexistent ML-DSA keygen tests in [Project Wycheproof]" or that "[Project Wycheproof] seems to require a nonstandard interface to test ML-DSA signature generation, and it doesn’t test ML-DSA key generation at all."
>> 
>> These bugs are so easy to find that they would be caught by the vectors in the body of draft-celi-acvp-ml-dsa <https://pages.nist.gov/ACVP/draft-celi-acvp-ml-dsa.html>, without even accessing actual ACVP vectors provided by NIST at https://github.com/usnistgov/ACVP-Server/tree/master/gen-val/json-files, which Bernstein somehow wrote a 59-page paper about testing ML-DSA without referencing.
>> 
>> Russ
>> 
>> > On Jun 1, 2026, at 4:42 PM, D. J. Bernstein <djb@cr.yp.to <mailto:djb@cr.yp.to>> wrote:
>> > 
>> > I've just finished a paper titled "Exploiting ML-DSA bugs":
>> > 
>> >    https://cr.yp.to/papers.html#mldsa
>> > 
>> > Let me gently suggest that IESG extend the current "last call" and ask
>> > the TLS WG chairs to stop censoring my messages to the TLS mailing list.
>> > 
>> > The abstract of the paper is as follows:
>> > 
>> >    At least four Dilithium software vulnerabilities have been announced
>> >    so far, including an identical vulnerability in each of the two
>> >    official Dilithium 1.0 implementations and two different
>> >    vulnerabilities in a "verified" implementation of Dilithium 3.4,
>> >    also known as ML-DSA. However, there do not appear to have been any
>> >    demos showing exploitability of any of these vulnerabilities.
>> > 
>> >    This paper shows that a small change in ML-DSA software creates an
>> >    ML-DSA version of the Dilithium 1.0 software vulnerability, can
>> >    occur by accident as in the original vulnerability, interoperates
>> >    with authentic ML-DSA, passes typical tests, and is exploitable in 1
>> >    second on 1 laptop core. This paper provides an open-source attack
>> >    demo that inspects a public key and two signatures, obtains an
>> >    equivalent secret key, and uses this key to rapidly forge signatures
>> >    on attacker-chosen messages.
>> > 
>> >    This paper also shows that another small change in ML-DSA software
>> >    creates a different software vulnerability, can occur by accident as
>> >    in the Sony PlayStation 3 ECDSA vulnerability, interoperates with
>> >    authentic ML-DSA, passes typical tests, and is exploitable in 1
>> >    second on 1 laptop core. This paper again provides an open-source
>> >    attack demo that rapidly forges signatures on attacker-chosen
>> >    messages, after inspecting a public key and a few signatures.
>> > 
>> >    This paper then uses standard techniques to estimate exploitability
>> >    rates for ML-DSA software, and to estimate the number of ML-DSA keys
>> >    that the attacker will be able to break in year Y, as a function of Y.
>> > 
>> >    This paper also reviews evidence in the literature regarding quantum
>> >    timelines, costs of quantum attacks, and non-quantum security
>> >    failures in ECC, so as to estimate the number of Ed25519+ML-DSA
>> >    double-signing keys that the attacker will be able to break in year
>> >    Y. The main conclusion is that, even years after the first quantum
>> >    attack, this number will still be much smaller than the number of
>> >    breakable ML-DSA keys.
>> > 
>> >    Qualitative security benefits of ECC+PQ compared to solo PQ have
>> >    been pointed out before, but not with quantified estimates of the
>> >    number of breakable keys. Some recent postings gave arguments
>> >    disputing these benefits; this paper closes by pointing out flaws in
>> >    those arguments.
>> > 
>> > ---D. J. Bernstein
>> > 
>> > 
>> > ===== NOTICES =====
>> > 
>> > IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5
>> > (normative), "Rights in Contributions", provides a modification right
>> > "unless explicitly disallowed in the notices contained in a Contribution
>> > (in the form specified by the Legend Instructions)".
>> > 
>> > The official language from IETF's "Legend Instructions" for the
>> > situation that "the Contributor does not wish to allow modifications nor
>> > to allow publication as an RFC" is as follows: "This document may not be
>> > modified, and derivative works of it may not be created, and it may not
>> > be published except as an Internet-Draft."
>> > <https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf>
>> > 
>> > The same language is used in, e.g., RFC 5831. The same language hereby
>> > applies to this document. This is not disclaiming or limiting the
>> > applicability of IETF policies; it is strictly following IETF policies.
>> > 
>> > IESG claims that the "explicitly disallowed" provision in BCP 78 is
>> > limited to the examples in Section 3 in BCP 78. That is incorrect. BCP
>> > 78 states that Section 5, "Rights in Contributions", is normative, while
>> > Section 3, "Exposition of Why These Procedures Are the Way They Are", is
>> > informative. The opt-out provision in the normative is clear, and cannot
>> > be limited by an informative section. BCP 78 also does not give IESG any
>> > authority to issue changes or purported clarifications of the rules.
>> > 
>> > Rationale for exercising the BCP 78 opt-out provision: I'm fine with
>> > redistribution of copies of this document. The issue is instead with
>> > modification, such as (1) IESG's May 2025 posting of an IESG-mangled
>> > version of an appeal that I had filed and (2) IETF management selling
>> > IETF mailing-list text to AI companies. There's no legitimate excuse for
>> > that, and it goes far beyond what copyright law allows as fair use, such
>> > as giving quotes for purposes of commentary.
>> > 
>> > -- 
>> > last-call mailing list -- last-call@ietf.org <mailto:last-call@ietf.org>
>> > To unsubscribe send an email to last-call-leave@ietf.org <mailto:last-call-leave@ietf.org>
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>
>> 
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>
>> 
>> 
>> --
>> 
>> Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com <mailto:sschmieg@google.com>
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>

v2.46.0 | Report a Bug | By Email | System Status