draft-ietf-lamps-pq-composite-sigs writes:

“CompositeML-DSA only achieves SUF security if both components are SUF secure, 
which is not a useful property”

I don’t understand why this would not be a useful property. I don’t like that 
IETF is standardizing EUF-CMA composites of the SUF-CMA ML-DSA. There are good 
reasons that IETF made EdDSA SUF-CMA and NIST made ML-DSA SUF-CMA. Users and 
developers are very good at shooting themselves in the foot, we should help 
them avoid that. IETF should design things assuming that the user has very 
little understanding of cryptography. Many users and developers have limited 
understanding of cryptography and typically wrongly believe all signatures are 
SUF-CMA. There have been several instances are vulnerabilities due to assuming 
that EUF-CMA.

I think IETF should only make SUF-CMA composites of ML-DSA RECOMMENDED=Y. My 
understand are that

id-MLDSA44-Ed25519
id-MLDSA65-Ed25519
id-MLDSA87-Ed448

are SUF-CMA.

Cheers,
John

From: tirumal reddy <kond...@gmail.com>
Date: Thursday, 28 November 2024 at 07:11
To: Ilari Liusvaara <ilariliusva...@welho.com>
Cc: tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS
Hi Illari,

The composite signature defined in draft-ietf-lamps-pq-composite-sigs is 
EUF-CMA secure and achieves weak non-separability. It aligns with the security 
considerations for hybrid digital signatures discussed in 
https://datatracker.ietf.org/doc/draft-ietf-pquip-hybrid-signature-spectrums/, 
which has recently completed WGLC. If there are any objections, now is the time 
to raise them within the PQUIP and LAMPS WGs.

Cheers,
-Tiru

On Sat, 23 Nov 2024 at 14:15, Ilari Liusvaara 
<ilariliusva...@welho.com<mailto:ilariliusva...@welho.com>> wrote:
On Thu, Nov 21, 2024 at 08:45:14PM -0000, D. J. Bernstein wrote:
> Blumenthal, Uri - 0553 - MITLL writes:
> > Given how the two (KEM and DSA) are used, and what threats may exist
> > against each of them, I think it’s perfectly fine to use PQ instead of
> > ECC+PQ here.
>
> Hmmm. I don't see where your previous anti-hybrid argument
> (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/rL9T8mpAkMs/m/i3QKJYZbEAAJ)
> distinguishes encryption from signatures.
>
> Are you saying that you're now in favor of hybrids for encryption but
> not for signatures? What's the relevant difference?

The risks posed by the hybrid construction itself.


> On the pro-hybrid side, here's the common-sense argument again, where I
> again don't see a difference between signatures and encryption:
>
>    * With ECC+PQ encryption, an attacker with a PQ break still has to
>      break the ECC encryption. This makes ECC+PQ less risky than PQ for
>      encryption.
>
>    * With ECC+PQ signatures, an attacker with a PQ break still has to
>      break the ECC signatures. This makes ECC+PQ less risky than PQ for
>      signatures.

The argument forgets that to break ECC+PQ, the attacker has to break
_either_:

a) ECC and PQ.
b) The hybrid construction.

The risk from b) is very different for encryption and signatures.

With encryption, it is small risk because the constructions are simple
and quite resilient to flaws (outside memory safety) in real world.

But with signatures, the risks become substantial because:

- Complexity. Some of it to deal with known non-obvious attacks.
- Known unknown attacks.

Even just the LAMPS composite signature combiner is known to be
cryptographically unsound. Sound signature combiners are in theory
impossible (practical sound signature combiners might exist).




-Ilari

_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to