Scott Fluhrer (sfluhrer) writes: > Might I ask what are we arguing about?
This thread is on a draft proposing Dilithium for TLS rather than ECC+Dilithium for TLS. There are proposals to have the TLS WG adopt the draft (e.g., "I support the adoption"). There are circular arguments saying that standardizing the draft is important because someone says it's important (e.g., "we'll end up standardizing [because of] some customers who want ML-DSA only"). There are counterarguments saying that this is creating unnecessary security risks, in the same way that non-hybrid KEM deployment would be creating unnecessary security risks. Specific points under discussion include the question of what weight the TLS WG should put on an NSA ban of hybrids, and the question of whether NSA has in fact banned hybrids. > Does the TLS working group feel the need to prohibit pure ML-DSA as > authentication? This would be taking a useful step against an unnecessarily risky proposal. This step would also help focus attention on what's best for moving PQ deployment forward, namely ECC+PQ. > Even though, after Q-day happens (whenever that will be), that might > be what people want? "Concretely, think about a demo showing that spending a billion dollars on quantum computation can break a thousand X25519 keys. Yikes! We should be aiming for much higher security than that! We don't even want a billion-dollar attack to be able to break _one_ key! Users who care about the security of their data will be happy that we deployed post-quantum cryptography. But are the users going to say 'Let's turn off X25519 and make each session a million dollars cheaper to attack'? I'm skeptical. I think users will need to see much cheaper attacks before agreeing that X25519 has negligible security value." Analogous comments apply to Ed25519. The quote is from a much more comprehensive analysis of the anti-hybrid arguments from NSA and GCHQ: https://blog.cr.yp.to/20240102-hybrid.html For both encryption and signatures, sure, looking farther and farther into the future makes it more and more plausible that ECC will be shown to be really cheap to break, making it plausible that people will decide to remove it. But it's baffling to see the possibility of a far-future simplification being used as an argument to incur security risks today. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
