Hi John,

> According to government definitions, composites should preserve the security 
> properties of their components. The IETF has done a good job with KEMs in 
> this regard. I find it absurd that we are even discussing composite 
> signatures that significantly weaken the security properties of ML-DSA by 
> removing its BUFF properties and introducing malleability vulnerabilities.

Is this focused on TLS or a general comment?

Because a PQ+T composite TLS protocol, if implemented via (say) 
draft-reddy-tls-composite-mldsa, would indeed preserve the security properties 
of both T-TLS and PQ-TLS.

In other words: Is there a relevant BUFF-attack for TLS?
I recall that our hybrid KEM construction would be similarly unsafe in 
non-transcript-hashed contexts, due to potential ciphertext malleability of a 
broken component. This is of little consequence to TLS.


> The discussion here applies to both the signature_algorithms and 
> signature_algorithms_cert extensions. PQ/T composites cannot be used for 
> long-term roots of trust. Many jurisdictions are discussing regulatory 
> requirements for PQC, and it is very unclear whether quantum-vulnerable 
> algorithms can be retained long term across all of them. This creates a 
> significant business risk even with well-designed composites. The risk is 
> further substantially amplified by composites that significantly weaken the 
> security properties of ML-DSA.

This seems more about the chain.
Again, simple composites preserve EUF-CMA, which TLS relies on. Consequently, 
composite roots of trust are only as quantum-vulnerable in TLS as their PQ part.
Do you know of an extension or have one implemented/drafted which relies on 
other properties?

I agree with you that the composites we have here are not general-purpose 
constructions. I just do not think that it should matter for the protocol at 
hand.

Best,

-- TBB
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to