[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Daniel Apon <dapon.crypto@gmail.com> Tue, 05 May 2026 04:13 UTC

Return-Path: <dapon.crypto@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 532B2E91B8C0 for <tls@mail2.ietf.org>; Mon, 4 May 2026 21:13:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777954415; bh=woTdXIa+bpnL3rnW6ZoVmjN4/yQhD+MQSv1gBCA0L9Q=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=uY1rPgXAnPASmQsYiCnCRUuNUD0RmjAe43+Na+/U0ZEyW0TNncM8OmRvpK3mXq1Vh n3JDwOTOCuyyDPKsDYM18j9GuvxUJEtv3tcnLv+ZoaqNk100oG3FZqMBiy+/uBLS84 pATSztlSC2hnNYTOkDPXyW4nYELTF7BiayB+7PGA=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1z2VQSdFa3y for <tls@mail2.ietf.org>; Mon, 4 May 2026 21:13:33 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AEB9AE91B8B0 for <tls@ietf.org>; Mon, 4 May 2026 21:13:33 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id 2adb3069b0e04-5a858881ad2so4777080e87.3 for <tls@ietf.org>; Mon, 04 May 2026 21:13:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777954412; cv=none; d=google.com; s=arc-20240605; b=KxoWDVJnuJGdZ5OclWyzz3dFpj4Byxcdurai97ycuJQeQzDGFTYSUfzroquRICFDoS pdYHL8GeQuug7j/jkg6ev52LTgqFAMHeBeH6xeL9e/uHJnuzYS+VJ0cMI6NhN5So9NgK +KsGt6kquwU0LrO7LhHf0ioS/WenL5xWUR+pDqAMkg/b+M0Z75eBXsB1FwNC52gRB7Ay 1tQQmDMauD2r4yeeEMll66vXphLBFp0xatAt5pPBBW9oBBZioKOvE7V9fIHk5NZa7zPy lFqfgH9JCapwegxohDDtTNgkddLQ32RYBL1WNXrsIPFx0lcYUHt/zxHf6WrD8eFbY1ZN caJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=0FEfGGvAQfU/Vn6RbQpnfLMiMv6fbT7bDqI3F2unQLg=; fh=hVikp8lVjP6Dcq6M4012ep/cnsSoKsRbsa2w/WNxL64=; b=GtbzHYWOEEqXNsiHvkieSErwZSK7ByvkHkCaPeIANDKi9znNFSNlY2f93IFdaMke5Y vgsyoKU9BU8/W1PnV+ceOdc4MiiIdLS9lW5Q+veKPohqiQGcyBc6qt81scqrpikiV0zf g68hBU5lmtoUBoDerzzdk61p5+EE+mCnIDX1uMwjRmxhS8uma9Z/93+p05pa8lr3dJkQ i5nQgDNNZHNnGRbtPOO0IIJ+J+Hk04VBC2+RVrQtxbwvZM11X3UpV79IYXPTBE+Iweeb Pq1xAFE5xn38Ap54hhjyJCsEn30nuy8ifJQZfWnWSAzvVxHYSJtDLkGhHiXwLJX/FsxH bDUQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777954412; x=1778559212; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0FEfGGvAQfU/Vn6RbQpnfLMiMv6fbT7bDqI3F2unQLg=; b=XTPtOqCBiLBIgGlzulRrk2oaqbQreXRvbQB4V7zSl1BJ4jTi1A5ffchANKq+Z9C4W4 w6zNWblxBCFtwvXWl743+wOJfVc4foLt0Eh8uVI5JmLeyQne+DqjOd7jkIfFZfIJVqRg Pada/BakwqhLg8haMgEkxZEoWnymNJN8p4UTkPsLKAhclIr/HKR1NfdwLz7SpaKIfE4e OhSswip4FWA54uKO30y62TPWrVKHZ16lmbq6yK9XrHaQYOwhamovVpJgCzN7YzbwAZDW ZRcjB5NUXdRrmA8XvHhJxJyhhWYY3SRwQr3IEtG728xZ8450mFADc79NScU4vLBZIfFf pIIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777954412; x=1778559212; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0FEfGGvAQfU/Vn6RbQpnfLMiMv6fbT7bDqI3F2unQLg=; b=jEIGGa/IEQTdS+Z9/Bd6bkgAw1pczJEr+7/rLdf/tQEJXbF8tTOM0EZ9RSkFcwolD2 QYW6JPSQcbTcHED/pGn4NKkDHj+N4nr34uWbNcpaAGDyhUQAl4Cf2HI1caqNWsSkSriW 1F2Xx3t02lIMsH4C3FP8q4FMiBigA3qFDsl0BSdvpktBhkZmbasmsupKaLokXwO38lw9 gGw11K/dHQHSDinS5w5SQmL2B59ZaGYl5Gn9MBqs3RwlHkCRT/yvbEcHizjSQBsuHy2q 0vgJYD/egaZDZ1oAIJrrC05GdeqyTnzhajuTPJNfRee8kepupoRn4zeocvXFhKapDwz9 7XFg==
X-Forwarded-Encrypted: i=1; AFNElJ98vNYfOyHnV6xPH/YRYEVcx57mI+97ptgF1p81WUTUkQu3ydlNndtp/N+UeO2/FtphE6M=@ietf.org
X-Gm-Message-State: AOJu0Yz9eecikj9DKBfC66frOvp9Ph2ZktAtxszvrm+0d670iXUcnYX+ dxc4H707UyPAgScDB1drBHRds2lCWHp/64v9eBHlEpcIempqdoe2aTtbhKbr6WoJikp93AX2O4L SoGn/2PrNohezWkBNjIuCQcBlU4bVj6A=
X-Gm-Gg: AeBDiesb1zbMj58U4Pv0ZaHOGT2rcNC+3KVYjO+jsSNox6J/dRlz5H6rkEy2eEpxUUF I/VSoMMzW+4OM8TkmIp5hWhGg6zD1NyvVyC3qSBRU/Zkthhd5Wl+Suo+s7HHRJtZshCl4C6/GXi XEDGmYepUQrn4wllC2/8jBb1Wz6QghBCw0ZcVlP6DbXQv4MHwthd5rs7N+kLXvK7pQ3kkZsaUB1 Ttm0oiIWSI6SusxZbr7dVr4xGAJfpgYiWNUlgx98H2ib9PzXKpDxXG+6RaLW2rpFXH12J1SGXCl w5SghRb0f0UerXVJVNq0yWjcNFVUYd3vS3tBzOsJHHgzuIlX9iO8eOwCd1BDI81n3i09V/CK3h8 K4e5a6eegwanXJWVcLz8rU/KXqIY8Ls/ch2yDxMyKpt242W5CCUORMZMtbCP5xbLMJ8F6
X-Received: by 2002:a05:6512:1592:b0:5a7:5e0f:ac98 with SMTP id 2adb3069b0e04-5a8631c36camr4500054e87.39.1777954412073; Mon, 04 May 2026 21:13:32 -0700 (PDT)
MIME-Version: 1.0
References: <f1dce979-023f-4756-bd8a-58fe6201bf94@cs.tcd.ie> <90f2c421-9398-494a-8940-44fea9e991f4@tu-dresden.de> <CABcZeBOsR05ppKAzB088+KPHRBJAUJr+T3wx8fCo+G+K8BdBmQ@mail.gmail.com> <CAF8qwaCsr5MSLoyS1Y-OzjO_ejZrKqfZMsLRi2_LDs9ddwLf3w@mail.gmail.com> <AS4PR07MB8825348270D422465253B63689342@AS4PR07MB8825.eurprd07.prod.outlook.com> <C3F7BE58-9CAA-4562-B153-AD7F618F6465@vigilsec.com> <CAPxHsSKakNmRzW1OayqcJvB66C1sXaxCgm2-a+=ztAXAqHK8bg@mail.gmail.com> <6acf7e19-c63b-4c1c-91ff-76c032e975e8@tu-dresden.de> <CAPxHsSLY4owoBVOTWNaR1=prW_oEaDD1nDdDvAnoE1ZGG6r_Pg@mail.gmail.com> <b4da126b-17c1-43ba-ad17-760611cb240f@tu-dresden.de> <afiCQBp5L84aXAIR@LK-Perkele-VII2.locald> <085d1e36-ca09-43d7-b7c5-2b320d53ed1e@tu-dresden.de> <MN2PR17MB403134E202037F3D47A59DBCCD312@MN2PR17MB4031.namprd17.prod.outlook.com> <683ee377-6d9c-49ad-b4cc-962afaa1388d@appelbaum.net> <CAPxHsSKJm212dhjYdAR+7Jn3R2M4KhoVe7j5LNX+UQyz3JTxoA@mail.gmail.com> <a9bed2b9004f4af19e9eddc7acb8b691@huawei.com>
In-Reply-To: <a9bed2b9004f4af19e9eddc7acb8b691@huawei.com>
From: Daniel Apon <dapon.crypto@gmail.com>
Date: Tue, 05 May 2026 00:13:19 -0400
X-Gm-Features: AVHnY4Js3CDBX6WBIcqNJMKlQJ_sDuhyH9tmhp2bl0orsm_0V9KtMRMbJdjLX4g
Message-ID: <CAPxHsS+bHMHhf9EnkiVgG9wurEywyKiCSdwWENY41W-Lx_1kZw@mail.gmail.com>
To: Wang Guilin <Wang.Guilin@huawei.com>
Content-Type: multipart/alternative; boundary="0000000000002896a806510a4506"
Message-ID-Hash: W4H5Z3QXJ4KL22HFQQEDD6VV2WGCBMAV
X-Message-ID-Hash: W4H5Z3QXJ4KL22HFQQEDD6VV2WGCBMAV
X-MailFrom: dapon.crypto@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tIAedMapH-keTE-QtWGRrWTfTic>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Guilin,

You wrote:
"I guess here stresses on improving security strength via using larger
parameters or key sizes, but hybrid approach concerns more about the
consequence in case  the only pure PQ algorithm is fundamentally flawed (as
what happened to SIKE) or some breakthrough cryptanalysis surpasses the
security margin. Below is the link for our recent discussions in TLS WG
mailing list on the almost same topic.

  https://mailarchive.ietf.org/arch/msg/tls/5GiyxhMA7rhvR73tKrnRd8ZeOK8/"

Yes, it is clear what the hybrid approach is. I also support both pure-PQC
and hybrid approaches; they should be available, in standard, to anyone.

But as I mentioned before on this WG mailing list, this lesson "from SIKE"
-- so easily stated -- that PQC algorithms may be fundamentally flawed, is
incredibly technically imprecise.

SIKE's mathematics had a significantly higher barrier-to-entry for the
corpus of PQC researchers to understand it, properly analyze it, and speak
about it broadly.
At the end of NIST PQC Round 3, *SIKE was adjudicated by NIST as having not
received sufficient study*, which is why it was moved into a 4th Round (as
a unique object).
Lo and behold-- with some additional study and focus, there was a break.
This was a success of the process itself; not a weakness of PQC algorithms.

This is a distinct and opposite case from the study of the concrete
security of noisy linear codes (both lattice-based and code-based). While 3
code-based schemes were moved on past the 3rd round (HQC, BIKE, and Classic
McEliece), these schemes had outstanding issues between them that hadn't
resolved yet (BIKE's decryption failure analysis, Classic McEliece's syzygy
security and high practical cost of large PKs, and HQC's larger costs vs
BIKE). These issues were significantly more mature and specialized than the
technical situation with SIKE.

By contrast to SIKE (which was eventually broken outright within a quick
sequence of works), many orders of magnitude of technical research works
have gone into the study of cryptanalysis of noise linear systems. It's
just not a good parallel to draw.


On Mon, May 4, 2026 at 11:56 PM Wang Guilin <Wang.Guilin@huawei.com> wrote:

> For me, as stated previously, *I support the use of ML-DSA and also
> composite ML-DSA in TLS 1.3*.
>
>
>
> (For the latter case, yes, the number of composites may need to be reduced
> from 13 to a few, as several other experts mentioned. )
>
>
>
> I do not understand the underlying logic about “defines A is not the place
> for an A compared-to B comparison”. As both A and B are two apparent
> approaches to solve the same problem, the authors, the readers and the
> future implementers all know this. How can we just ignore this issue in a
> specification as if B were not existing?
>
>
>
> Yes, comprehensive comparison with (rough) consensus seems very hard to
> achieve, but some middle ground or neutral wordings are also helpful for
> the readers. In the simplest (also the worst?) case, at least the
> specification can say and refer to approach B, I think.
>
>
>
> >Two hard problems at X-bit security, broken independently, should take
> 2*2^X = 2^{X+1} work.
> > One hard problem at 2X-bit security should take 2^{2X} work.
>
>
>
> I guess here stresses on improving security strength via using larger
> parameters or key sizes, but hybrid approach concerns more about the
> consequence in case  the only pure PQ algorithm is fundamentally flawed (as
> what happened to SIKE) or some breakthrough cryptanalysis surpasses the
> security margin. Below is the link for our recent discussions in TLS WG
> mailing list on the almost same topic.
>
>   https://mailarchive.ietf.org/arch/msg/tls/5GiyxhMA7rhvR73tKrnRd8ZeOK8/
>
>
> Cheers,
>
>
>
> Guilin
>
>
>
>
>
>
>
>
>
>
>
> *From:* Daniel Apon <dapon.crypto@gmail.com>
> *Sent:* Tuesday, 5 May 2026 9:47 am
> *To:* Jacob Appelbaum <jacob@appelbaum.net>
> *Cc:* Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; TLS List <
> tls@ietf.org>
> *Subject:* [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
>
>
>
> Hi Jacob,
>
> You wrote:
> "When better is defined as "two hard problems are more secure than one
> maybe hard problem""
>
> This is neither standard nor textbook in complexity theory.
>
> Two hard problems at X-bit security, broken independently, should take
> 2*2^X = 2^{X+1} work.
> One hard problem at 2X-bit security should take 2^{2X} work.
>
> If you want to increase security, you should increase parameter sizes.
> Or, you should have chimed in on the security of the hard problem a decade
> ago when it was being discussed internationally.
>
> ==========
>
> In response to:
> "a document that defines A is not the place for an A compared-to B
> comparison"
> You wrote:
> " Where should it go if not there?"
>
> My answer is *here*. Resolve that here, in this conversation. Not in a
> long-lived document.
>
> ==========
>
> I believe I agree with Rich and Uri in this conversation.
>
> Moreover, I do not think both a "Why hybrids?" and a "Why not hybrids?"
> section being added addressing any of my concerns; in fact, I believe it
> only makes shoving worse -- by shoving controversy and various arguable
> opinions into a standard.
> The standard should stand on its own standard legstands.
>
> --Daniel
>
>
>
> On Mon, May 4, 2026 at 9:52 AM Jacob Appelbaum <jacob@appelbaum.net>
> wrote:
>
> Hi Rich,
>
> On 5/4/26 15:00, Salz, Rich wrote:
> > * I had sincerely proposed what I believe is a good middle ground to
> > move on. WG is free to trash my proposal.
> >
> > Okay then.  Your proposal is not a middle ground.
>
> What are the sides from your perspective and what would be a middle
> ground if not this?
>
>  > It says that hybrids are better.
>
> When better is defined as "two hard problems are more secure than one
> maybe hard problem" or "one new failure cannot result in a practical
> break of the protocol" then it follows that hybrids are better.
>
> If we're not talking about "better" in the context of security but byte
> overhead or energy efficiency, then we'd need some other definitions for
> the word better, I suppose.
>
> >
> > I still maintain that a document that defines A is not the place for
> > an A compared-to B comparison.
>
> Where should it go if not there?
>
> If it should go somewhere else, would a reference to that other place
> also be wrong?
>
> > From the mailing list traffic, several other long-timers agree with that.
> >
> This reads as an appeal to authority over a reasonable analysis that is
> related to Usama's formal proof. I do not find it compelling and it
> appears as dismissive to Usama's efforts. What's the constructive
> counter proposal other than writing as if hybrids don't exist or that
> PQC without a hybrid construction isn't a novel risk?
>
> Long-timers can be wrong and given the Dual_EC history and various
> related drafts, they might even be wrong twice for the concerns raised
> by Usama and others.
>
> Kind regards,
> Jacob Appelbaum
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
>