On Thu, Nov 21, 2024 at 08:45:14PM -0000, D. J. Bernstein wrote: > Blumenthal, Uri - 0553 - MITLL writes: > > Given how the two (KEM and DSA) are used, and what threats may exist > > against each of them, I think it’s perfectly fine to use PQ instead of > > ECC+PQ here. > > Hmmm. I don't see where your previous anti-hybrid argument > (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/rL9T8mpAkMs/m/i3QKJYZbEAAJ) > distinguishes encryption from signatures. > > Are you saying that you're now in favor of hybrids for encryption but > not for signatures? What's the relevant difference?
The risks posed by the hybrid construction itself. > On the pro-hybrid side, here's the common-sense argument again, where I > again don't see a difference between signatures and encryption: > > * With ECC+PQ encryption, an attacker with a PQ break still has to > break the ECC encryption. This makes ECC+PQ less risky than PQ for > encryption. > > * With ECC+PQ signatures, an attacker with a PQ break still has to > break the ECC signatures. This makes ECC+PQ less risky than PQ for > signatures. The argument forgets that to break ECC+PQ, the attacker has to break _either_: a) ECC and PQ. b) The hybrid construction. The risk from b) is very different for encryption and signatures. With encryption, it is small risk because the constructions are simple and quite resilient to flaws (outside memory safety) in real world. But with signatures, the risks become substantial because: - Complexity. Some of it to deal with known non-obvious attacks. - Known unknown attacks. Even just the LAMPS composite signature combiner is known to be cryptographically unsound. Sound signature combiners are in theory impossible (practical sound signature combiners might exist). -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
