Hi John, > According to government definitions, composites should preserve the security > properties of their components. The IETF has done a good job with KEMs in > this regard. I find it absurd that we are even discussing composite > signatures that significantly weaken the security properties of ML-DSA by > removing its BUFF properties and introducing malleability vulnerabilities.
Is this focused on TLS or a general comment? Because a PQ+T composite TLS protocol, if implemented via (say) draft-reddy-tls-composite-mldsa, would indeed preserve the security properties of both T-TLS and PQ-TLS. In other words: Is there a relevant BUFF-attack for TLS? I recall that our hybrid KEM construction would be similarly unsafe in non-transcript-hashed contexts, due to potential ciphertext malleability of a broken component. This is of little consequence to TLS. > The discussion here applies to both the signature_algorithms and > signature_algorithms_cert extensions. PQ/T composites cannot be used for > long-term roots of trust. Many jurisdictions are discussing regulatory > requirements for PQC, and it is very unclear whether quantum-vulnerable > algorithms can be retained long term across all of them. This creates a > significant business risk even with well-designed composites. The risk is > further substantially amplified by composites that significantly weaken the > security properties of ML-DSA. This seems more about the chain. Again, simple composites preserve EUF-CMA, which TLS relies on. Consequently, composite roots of trust are only as quantum-vulnerable in TLS as their PQ part. Do you know of an extension or have one implemented/drafted which relies on other properties? I agree with you that the composites we have here are not general-purpose constructions. I just do not think that it should matter for the protocol at hand. Best, -- TBB _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
