draft-ietf-lamps-pq-composite-sigs writes:
“CompositeML-DSA only achieves SUF security if both components are SUF secure,
which is not a useful property”
I don’t understand why this would not be a useful property. I don’t like that
IETF is standardizing EUF-CMA composites of the SUF-CMA ML-DSA.
Hi Illari,
The composite signature defined in draft-ietf-lamps-pq-composite-sigs is
EUF-CMA secure and achieves weak non-separability. It aligns with the
security considerations for hybrid digital signatures discussed in
https://datatracker.ietf.org/doc/draft-ietf-pquip-hybrid-signature-spectrums/
If a dual signature weakens the security beyond a single given signature,
there is an attack to add a second signature, and break the first target
signature by breaking the dual signature. This should not be possible, but
that would be the analysis here: what harm does adding a second signature
bri
Ilari, you have stated that:
> Even just the LAMPS composite signature combiner is known to be
> cryptographically unsound
I assume that you're talking about draft-ietf-lamps-pq-composite-sigs-03. If
so, I must ask you to back up that statement, providing either a citation, or a
self-evident e
I agree with David's analysis. I think, when reasoning about this, we
should separate the "how to profile TLS 1.2 down" parts from the "extend
TLS 1.2 with more protocol fixes" parts. That's not a knock against those
fixes... it's a good thing! Profiling things down is often a
configuration-only ch
Hello Peter,
This doesn't really answer my question. I don't have time to read
through the 18 analysis papers. but [TLS-Analysis-14] describes the
Triple Handshake attack. Isn't that fixed by the extended_master_secret
extension (RFC 7627)? If so, then this could be addressed by a guidance
do
