2026-04-26 10:08 GMT+02:00 Muhammad Usama Sardar
<[email protected]>:
> Hi Bas,
>
> On 26.04.26 09:27, Bas Westerbaan wrote:
>
>>>> I see serious risk that pure PQ signature schemes considered today
>>>> (e.g., ML-DSA-65) will be insecure against active attackers using
>>>> traditional computers in 10 years. Is anyone willing to bet against?
>>> I am surely not.
>>>
>> https://github.com/FiloSottile/ecc-vs-lattices-long-bet
> Thanks, that's very interesting, but my reading of Simon's quote was that he
> is making a point about "PQ signature schemes" by explicitly mentioning it,
> whereas the bet you share seems to be about KEMs. So that appears irrelevant
> to the point Simon was making.
>
I will take each and every bet on ML-DSA-44, on the same terms as the
https://github.com/FiloSottile/ecc-vs-lattices-long-bet main (vs. Ed25519) or
secondary (vs. 128-bit security level, no draw outcome) wagers, from anyone who
ever posted on the TLS or LAMPS WG mailing lists as of today.
I reserve the right to cap the stakes, but I haven't picked a limit yet and I
doubt we'll reach it. I have a preference for settlement via 501(c)(3)
donation, but I will also take direct payment from/to anyone not under US or EU
sanctions.
We should obviously not pollute this thread, so ideally open an issue on
https://github.com/FiloSottile/ecc-vs-lattices-long-bet or alternatively email
me privately (with a different subject).
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
