> -----Original Message----- > From: ilariliusva...@welho.com <ilariliusva...@welho.com> > Sent: Saturday, November 23, 2024 3:44 AM > To: tls@ietf.org > Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS > > > But with signatures, the risks become substantial because: > > - Complexity. Some of it to deal with known non-obvious attacks. > - Known unknown attacks. > > Even just the LAMPS composite signature combiner is known to be > cryptographically unsound. Sound signature combiners are in theory > impossible (practical sound signature combiners might exist). >
Can you expound on that? The composite signature combiner is "place the RSA signature here, place the ML-DSA signature there, we're done". Given that the verifier checks both the RSA signature and the ML-DSA signature, I would naively expect that any successful forgery would need to break both. Could you explain what I'm missing? _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
