Hi Kris, On 23.04.26 23:33, Kris Kwiatkowski wrote:
The pqc-forum is the right venue for surfacing concrete concerns about ML-DSA, and they would genuinely welcome hearing about any new cryptanalytic results.
Thank you for your proposal. I was not sure if their focus is really TLS protocol, which is my analysis exclusively focusing on. But as you suggest, I will join once I have full results from my formal analysis.
Since you mention "cryptanalytic results", please accept my sincere apologies if I sounded like I have done some cryptanalysis. I would like to clarify that I have not done any cryptanalysis. I have done literature review and started modeling in symbolic analysis tool (ProVerif). Currently, I am comparing the properties of hybrid vs. pure PQ, analogous to [0] (which is for ML-KEM) and investigating downgrade attacks.
ML-DSA isn't a recent arrival: Dilithium was submitted to NIST PQC in 2017, went through three rounds of open cryptanalysis. In those ~9 years of public scrutiny by both academia and industry, there has been no meaningful progress toward breaking it.
Right, I fully acknowledge that. But my point was that: * we have no guarantee which one (traditional or non-hybrid PQ) will break first. * we have no guarantee that CRQC actually exists or will exist in the near future or will be cost-effective (I read in the thread someone wrote very concisely some other conditions but I don't seem to find that email right now)Hence, I believe hybrid should currently be the preferred way forward. Do you disagree with that? I would love to hear your thoughts about that. Thank you.
Best regards, -Usama[0] https://www.ietf.org/archive/id/draft-usama-tls-fatt-extension-05.html#section-3.3.1
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
