Op 27-05-2026 om 01:39 schreef Brian E Carpenter:
Which is true, as far as I can tell, of *any* double encryption, as long as the two algorithms are strictly independent.
Hybrid key exchange is not the same as double encryption. Hybrid key exchanges also require both *keys* to be independent, and the combiner function to be theoretically sound, and the combiner function to be implemented correctly. All of which I have seen go wrong in real-world code. So the probability of the hybrid being broken is really pq + r, with r the probability of any of those accidents happening. And hybrid *signatures* (which is what this last call is about) are even trickier. As an example, the hybrids from draft-ietf-lamps-pq-composite-sigs are only EUF-CMA, even though ML-DSA by itself is SUF-CMA. Now every protocol designer using those constructions needs to figure out whether their protocol needs SUF-CMA for security or is still ok with EUF-CMA. Good luck with that. So there are good reasons to prefer pure ML-DSA over hybrid signatures. ---- Marc Penninga _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
