If a dual signature weakens the security beyond a single given signature, there is an attack to add a second signature, and break the first target signature by breaking the dual signature. This should not be possible, but that would be the analysis here: what harm does adding a second signature bring?
On Wed, Nov 27, 2024 at 12:32 PM Scott Fluhrer (sfluhrer) <sfluhrer= 40cisco....@dmarc.ietf.org> wrote: > Ilari, you have stated that: > > > Even just the LAMPS composite signature combiner is known to be > > cryptographically unsound > > I assume that you're talking about draft-ietf-lamps-pq-composite-sigs-03. > If so, I must ask you to back up that statement, providing either a > citation, or a self-evident explination. > > When I look at it, it would appear to me that a generating a forgery > against a valid verifier would require either: > - Finding a collision in the hash function > - Generating a forgery for both ML-DSA and the classical signature > algorithm. > > Given that we believe that both of the two are hard problems, it would > appear that the system is cryptographically sound. > > In addition, someone could take a valid composite signature and extract > the classical signature, creating an existential forgery for the classical > public key. This is not a practical concern if (as the draft recommends) > you never use that public key in another context. Hence, it is hard to > consider this as an example of cryptographical unsoundness. > > If you have any evidence to the contrary, please share it. If you do not > have such evidence, please apologize. > > > -----Original Message----- > > From: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco....@dmarc.ietf.org> > > Sent: Saturday, November 23, 2024 8:46 AM > > To: ilariliusva...@welho.com; tls@ietf.org > > Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS > > > > > > > > > -----Original Message----- > > > From: ilariliusva...@welho.com <ilariliusva...@welho.com> > > > Sent: Saturday, November 23, 2024 3:44 AM > > > To: tls@ietf.org > > > Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS > > > > > > > > > But with signatures, the risks become substantial because: > > > > > > - Complexity. Some of it to deal with known non-obvious attacks. > > > - Known unknown attacks. > > > > > > Even just the LAMPS composite signature combiner is known to be > > > cryptographically unsound. Sound signature combiners are in theory > > > impossible (practical sound signature combiners might exist). > > > > > > > Can you expound on that? The composite signature combiner is "place the > > RSA signature here, place the ML-DSA signature there, we're done". > > > > Given that the verifier checks both the RSA signature and the ML-DSA > > signature, I would naively expect that any successful forgery would need > to > > break both. > > > > Could you explain what I'm missing? > > > > > > _______________________________________________ > > TLS mailing list -- tls@ietf.org > > To unsubscribe send an email to tls-le...@ietf.org > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
