On Fri, Apr 10, 2026 at 12:47:22AM +0200, Muhammad Usama Sardar wrote:
> FWIW: this draft has similar issues the WG has been discussing for pure
> ML-KEM for quite some time now. Hence, I*oppose* publication. Some
> preliminary cents below. I'll do more study and may share more details until
> the end of WGLC.
But actually, the concerns **are** quite different, because there's no
timewarp. Future breaks are not a concern now.
> IMHO, /all/ such pure PQ thingies should be dispatched to CFRG Review Panel
> to get their attestation on security considerations.
You keep saying that, but this is not CFRG's rôle in this context.
> # /Security considerations/
>
> FWIW: the security considerations are insufficient. Security considerations
> simply refer to FIPS, Sec. 3.4 [1], but I believe we should at the very
> least forbid deterministic signing with a MUST NOT, because deterministic
> signing may leave the door open for side-channel attacks and fault injection
> attacks.
The verifier has no means to know whether the signature is deterministic
or hedged, and the FIPS 204, Section 3.4 text seems sufficient:
This document also permits a fully deterministic variant of the
signing procedure in case the signer has no access to a fresh source
of randomness at signing time. However, the lack of randomness in
the deterministic variant makes the risk of side-channel attacks
(particularly fault attacks) more difficult to mitigate. Therefore,
this variant should not be used on platforms where side-channel
attacks are a concern and where they cannot be otherwise mitigated.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
