John,
I agree with you. My point was that even in the theoretical “addition” context — which is not really meaningful — it is still (practically) never as simple as “1000 + 1 > 1000”. TNX -- V/R, Uri There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. C. A. R. Hoare From: John Mattsson <[email protected]> Date: Tuesday, May 26, 2026 at 11:58 To: Blumenthal, Uri - 0553 - MITLL <[email protected]>; Brian E Carpenter <[email protected]>; [email protected] <[email protected]> Subject: Re: [TLS] Re: [EXT] Re: [Last-Call] <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC This Message Is From an External Sender This message came from outside the Laboratory. The bigger problem with both double encryption and PQ/T hybrids is that they cannot meaningfully be compared to addition (+). In fact, it is misleading to speak about “adding” security at all, since the resulting “sum” may actually be weaker than the individual “addends”. Examples of double-encryption constructions that do not behave as one might intuitively expect include two-key double DES (2DES), double encryption with RSA using different keys, and double encryption with the same one-time pad. These examples illustrate that cryptographic composition can behave in highly non-intuitive ways, and that security properties generally do not compose additively. Cheers, John Preuß Mattsson From: Blumenthal, Uri - 0553 - MITLL <[email protected]> Date: Tuesday, 26 May 2026 at 17:23 To: Brian E Carpenter <[email protected]>; [email protected] <[email protected]> Subject: [TLS] Re: [EXT] Re: [Last-Call] <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC >> That depends on relative difficulty of breaking algorithms. If quantum >> attack against first algorithm is much cheaper than attacking the second >> algorithm, then the second algorithm is the bottleneck and adding the >> first to composite does not improve security. > > Last time I checked, 1000+1 > 1000, which is all I was asserting. If I’d > asserted "breaking two algorithms is always *significantly* harder than > breaking one algorithm", I would have been wrong. You keep ignoring or forgetting that the above “+1” is not free, so one has to evaluate the cost/trouble of adding that “1” against the benefits it’s going to add. For example, nobody argues that if we super-encrypt AES ciphertext with , e.g., ARIA — we’ll increase the overall security. But, for reasons quite obvious, nobody seems willing to add that “+1” to the “1000” that AES already provided.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
