Thanks for your comments, John. As the same concern was recently discussed within LAMPS during the WG Last Call of the composite ML-DSA draft https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/, the authors updated their document to clarify the limitations of SUF-CMA in composite schemes and added an explicit statement in the Security Considerations section (see https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs-12.html#name-suf-cma).
I think our draft could follow a similar approach and include a comparable note in the Security Considerations section, clearly stating that composite signatures do not provide SUF-CMA security against quantum adversaries, and that use cases requiring strong unforgeability should avoid them. This would help align our work with LAMPS, clarify the expected security properties, and make the limitations explicit for implementers. Best regards, Lucas From: John Mattsson <[email protected]> Sent: Thursday, October 2, 2025 4:40 PM To: Orie <[email protected]>; John Mattsson <[email protected]> Cc: Lucas Prabel <[email protected]>; [email protected]; [email protected]; cose <[email protected]> Subject: Re: [jose] Re: Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 Hi, For long-lived devices that do not want to use lattice-based signatures, COSE already has registered the hash-based HSS-LMS https://www.rfc-editor.org/rfc/rfc8708.html https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf And SLH-DSA has been WG adopted and algorithms like SLH-DSA-SHAKE-128s https://datatracker.ietf.org/doc/html/draft-ietf-cose-sphincs-plus-05 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf are soon expected to be registered for COSE and JOSE. NIST is also actively working on SLH-DSA with smaller parameter sets https://csrc.nist.gov/csrc/media/presentations/2025/sphincs-smaller-parameter-sets/sphincs-dang_2.2.pdf Given that the composites only provide EUF-CMA against quantum attackers, which is the only type of attacker that should be considered today, I don't think COSE/JOSE should work on this. All signatures standardized by NIST and IETF in the last 20 years (EdDSA, LMS, XMSS, ML-DSA, SLH-DSA) are SUF-CMA (for very good reasons). EUF-CMA can lead to significant vulnerabilities such as replay of messages, double billing, double money transactions, double receipts, double contracts, and log/transaction history poisoning. SUF-CMA vs EUF-CMA is not a theoretic consideration; it is very much a real-world problem. COSE and JOSE are used in a wide variety of use cases. And we know that many/most developers will assume that all signatures are SUF-CMA. I think SLH-DSA, LMS, and XMSS are all better options than EUF-CMA composites. Cheers, John Preuss Mattsson (As an individual) From: Orie <[email protected]<mailto:[email protected]>> Date: Thursday, 2 October 2025 at 15:10 To: John Mattsson <[email protected]<mailto:[email protected]>> Cc: Lucas Prabel <[email protected]<mailto:[email protected]>>, [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>, [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>, cose <[email protected]<mailto:[email protected]>> Subject: Re: [jose] Re: Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 Hi, Adding COSE because of the draft title. I think composite signatures for JOSE & COSE do not make a lot of sense for the common cases of short lived access tokens. For longer lived identity credentials they might make sense, especially if you are shipping hardware with no ability to upgrade that is going to speak COSE, perhaps in long lived smart building IoT scenarios? I would tend to wait for TLS / LAMPs (to successfully adopt documents) and align with them. OS On Thu, Oct 2, 2025 at 5:17 AM John Mattsson <[email protected]<mailto:[email protected]>> wrote: Dear Lucas, My recollection is that the draft was presented at IETF 121 where several people stated that they did not think JOSE should work on composite signatures. At IETF 123 the draft almost did not get any time and there were no discussion. I am sorry that the chairs did not do their AP to "Chairs will send an email soliciting comments on whether we are ready to do a call for adoption." Good that you did. I notice that TLS WG at IETF 123 seems to have decided to not work on composites at this point in time. https://datatracker.ietf.org/meeting/123/materials/slides-123-tls-wg-status-00 The chairs would like to hear the current opinion of the working group. Cheers, John From: Lucas Prabel <[email protected]<mailto:[email protected]>> Date: Thursday, 2 October 2025 at 10:06 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [jose] Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 Dear JOSE WG, I am one of the co-authors of the individual draft draft-prabel-jose-pq-composite-sigs-04 (draft-prabel-jose-pq-composite-sigs-04 - PQ/T Hybrid Composite Signatures for JOSE and COSE<https://datatracker.ietf.org/doc/draft-prabel-jose-pq-composite-sigs/04/>). The draft has been presented in two IETF meetings, including IETF 123 in July. We have addressed the feedback received both on the mailing list and onsite during the sessions. The draft is also aligned with related work in other groups, in particular the COSE draft on ML-DSA and the LAMPS draft on composite signatures. We believe the document is in a good state to serve as a starting point for further work within the JOSE WG. Therefore, we would like to ask the chairs to consider issuing a Call for Adoption. We also welcome further comments and feedback on the draft from the working group. Best regards, Lucas _______________________________________________ jose mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
