draft-ietf-lamps-pq-composite-sigs writes: “CompositeML-DSA only achieves SUF security if both components are SUF secure, which is not a useful property”
I don’t understand why this would not be a useful property. I don’t like that IETF is standardizing EUF-CMA composites of the SUF-CMA ML-DSA. There are good reasons that IETF made EdDSA SUF-CMA and NIST made ML-DSA SUF-CMA. Users and developers are very good at shooting themselves in the foot, we should help them avoid that. IETF should design things assuming that the user has very little understanding of cryptography. Many users and developers have limited understanding of cryptography and typically wrongly believe all signatures are SUF-CMA. There have been several instances are vulnerabilities due to assuming that EUF-CMA. I think IETF should only make SUF-CMA composites of ML-DSA RECOMMENDED=Y. My understand are that id-MLDSA44-Ed25519 id-MLDSA65-Ed25519 id-MLDSA87-Ed448 are SUF-CMA. Cheers, John From: tirumal reddy <kond...@gmail.com> Date: Thursday, 28 November 2024 at 07:11 To: Ilari Liusvaara <ilariliusva...@welho.com> Cc: tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS Hi Illari, The composite signature defined in draft-ietf-lamps-pq-composite-sigs is EUF-CMA secure and achieves weak non-separability. It aligns with the security considerations for hybrid digital signatures discussed in https://datatracker.ietf.org/doc/draft-ietf-pquip-hybrid-signature-spectrums/, which has recently completed WGLC. If there are any objections, now is the time to raise them within the PQUIP and LAMPS WGs. Cheers, -Tiru On Sat, 23 Nov 2024 at 14:15, Ilari Liusvaara <ilariliusva...@welho.com<mailto:ilariliusva...@welho.com>> wrote: On Thu, Nov 21, 2024 at 08:45:14PM -0000, D. J. Bernstein wrote: > Blumenthal, Uri - 0553 - MITLL writes: > > Given how the two (KEM and DSA) are used, and what threats may exist > > against each of them, I think it’s perfectly fine to use PQ instead of > > ECC+PQ here. > > Hmmm. I don't see where your previous anti-hybrid argument > (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/rL9T8mpAkMs/m/i3QKJYZbEAAJ) > distinguishes encryption from signatures. > > Are you saying that you're now in favor of hybrids for encryption but > not for signatures? What's the relevant difference? The risks posed by the hybrid construction itself. > On the pro-hybrid side, here's the common-sense argument again, where I > again don't see a difference between signatures and encryption: > > * With ECC+PQ encryption, an attacker with a PQ break still has to > break the ECC encryption. This makes ECC+PQ less risky than PQ for > encryption. > > * With ECC+PQ signatures, an attacker with a PQ break still has to > break the ECC signatures. This makes ECC+PQ less risky than PQ for > signatures. The argument forgets that to break ECC+PQ, the attacker has to break _either_: a) ECC and PQ. b) The hybrid construction. The risk from b) is very different for encryption and signatures. With encryption, it is small risk because the constructions are simple and quite resilient to flaws (outside memory safety) in real world. But with signatures, the risks become substantial because: - Complexity. Some of it to deal with known non-obvious attacks. - Known unknown attacks. Even just the LAMPS composite signature combiner is known to be cryptographically unsound. Sound signature combiners are in theory impossible (practical sound signature combiners might exist). -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org> To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org