[TLS] Re: Complaint to ADs and IESG regarding TLS WG chairs falsely claiming WG consensus to issue an RFC for draft-ietf-tls-mldsa

[Daniel Apon <dapon.crypto@gmail.com>]

P.S. in full disclosure, I maintain my position of Recommended=Y for hybrid
solutions, as well as supporting pure-PQC solutions being obviously
standardized as well.

On Mon, Jun 1, 2026 at 3:40 PM Daniel Apon <dapon.crypto@gmail.com> wrote:

> " This statement might of course be outdated, but I recently asked one of
> the members of the CRYSTALS team whether this is still his view, and the
> response was: "Yes, of course." "
>
> I also recently asked *TWO* members of the CRYSTALS team whether they
> support hybrids in their view, and their joint response, which they wrote
> in tiki torches -- flaming and placed across the facade of a certain
> skyscraper located in the Iberian Peninsula, with a massive fireworks show
> celebrating the lighting of these torches -- was "No, of course not!"
>
> [[*The above was said facetiously*. In full disclosure, I have not been
> explicitly told by the CRYSTALS team that they lit fiery torches in the
> Iberian Peninsula with a massive fireworks show in support of any
> particular cryptographic viewpoint.]]
>
> -----
>
> *On a more serious note:* This entire thread of discussion is blatantly
> lacking in any novel, critical technical material.
>
> In fact, this entire thread of discussion has been kicked off by DJB, in a
> fervent (hopefully deeply sincere!) attempt to remedy what he views as a
> technical gap in upcoming standards.
> But, let's be clear: DJB had years to make *his technical case* in the
> NIST PQC process, and he didn't achieve what he hoped.
>
> Indeed, despite claiming early in the process that he would have a massive
> technical breakthrough that would break NewHope, Kyber, etc. (and thus,
> presumably lead to NTRU Prime being the chosen standard) -- which motivated
> the creation of the NIST PQC 3rd Round Seminar Talk Series
> https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions/round-3-seminars
> in the first place, which now continues to this day as
> https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline/pqc-seminars
> (and thus, is still open to DJB giving a technical talk with his
> long-promised cryptanalytic breakthroughs)
>
> So, DJB has moved to this IETF process: a more *political* and more
> *human* process, involving significantly less technical discussions, and
> hammered and hammered against the constraints of the process here itself to
> lead us to this point.
>
> After all, the worst thing for those advocating against pure-PQC solutions
> is a technical discussion on the cryptographic merits.
>
> On Sat, May 30, 2026 at 3:54 PM Tibor Jager <jager@uni-wuppertal.de>
> wrote:
>
>>
>>
>> On 30.05.26 14:11, John Mattsson wrote:
>> >
>> > - Most experts have a high degree of confidence in hash-based and
>> > lattice-based signatures. This includes US NIST, CNSA 2.0, European
>> > crypto agencies, as well as cryptographers in academia and industry,
>> > such as Sophie Schmieg [2].
>>
>> This suggests a consensus in academia that, as far as I can tell, does
>> not exist.
>>
>> Regarding “most experts”: the authors themselves (!) of Dilithium/ML-DSA
>> recommend hybrid deployment. On their website they write (see
>> https://pq-crystals.org/dilithium/index.shtml)
>>
>> "For users who are interested in using Dilithium, we recommend the
>> following: [...] Use Dilithium in a so-called hybrid mode in combination
>> with an established "pre-quantum" signature scheme."
>>
>>
>> Similarly, for Kyber/ML-KEM (see
>> https://pq-crystals.org/kyber/index.shtml) they write:
>>
>> "For users who are interested in using Kyber, we recommend the
>> following: [...] Use Kyber in a so-called hybrid mode in combination
>> with established "pre-quantum" security; for example in combination with
>> elliptic-curve Diffie-Hellman.
>>
>>
>> This statement might of course be outdated, but I recently asked one of
>> the members of the CRYSTALS team whether this is still his view, and the
>> response was: "Yes, of course."
>>
>>
>> In my view, the concern is not with lattice-based cryptography as a
>> paradigm, nor with the algorithms. Also, not with backdoors. Rather, it
>> is with the underlying hardness assumptions and, in particular, the
>> concrete parameter choices. At present, these appear fine. However,
>> assuming that this assessment is unlikely to change seems optimistic.
>>
>>
>>  > I am very unconvinced by people who criticize ML-DSA while
>>  > not applying the same scrutiny to RSA, ECDSA, and EdDSA. The criticism
>>  > of ML-DSA and IETF often applies double standards that don't survive
>>  > scrutiny.
>>
>>
>> The above comparison is not entirely apt. 30-40 years ago, there were
>> fewer alternatives available, computational resources were much more
>> limited, and hybrid deployment was generally not a practical option. By
>> the time computational costs had decreased, RSA and
>> discrete-logarithm-based systems had already accumulated decades of
>> scrutiny and practical experience.
>>
>> More importantly, in my perspective, advocating hybrids is neither a
>> criticism of ML-DSA, nor an application of double standards. But it is a
>> matter of risk management. We are considering introducing algorithms
>> based on comparatively new hardness assumptions into the most important
>> cryptographic protocol on the Internet. There is nothing wrong with
>> optimism, but in this context one may also argue that a more cautious
>> approach is warranted. Better safe than sorry.
>>
>>
>>
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>>
>