Hi Illari, The composite signature defined in draft-ietf-lamps-pq-composite-sigs is EUF-CMA secure and achieves weak non-separability. It aligns with the security considerations for hybrid digital signatures discussed in https://datatracker.ietf.org/doc/draft-ietf-pquip-hybrid-signature-spectrums/, which has recently completed WGLC. If there are any objections, now is the time to raise them within the PQUIP and LAMPS WGs.
Cheers, -Tiru On Sat, 23 Nov 2024 at 14:15, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Thu, Nov 21, 2024 at 08:45:14PM -0000, D. J. Bernstein wrote: > > Blumenthal, Uri - 0553 - MITLL writes: > > > Given how the two (KEM and DSA) are used, and what threats may exist > > > against each of them, I think it’s perfectly fine to use PQ instead of > > > ECC+PQ here. > > > > Hmmm. I don't see where your previous anti-hybrid argument > > ( > https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/rL9T8mpAkMs/m/i3QKJYZbEAAJ > ) > > distinguishes encryption from signatures. > > > > Are you saying that you're now in favor of hybrids for encryption but > > not for signatures? What's the relevant difference? > > The risks posed by the hybrid construction itself. > > > > On the pro-hybrid side, here's the common-sense argument again, where I > > again don't see a difference between signatures and encryption: > > > > * With ECC+PQ encryption, an attacker with a PQ break still has to > > break the ECC encryption. This makes ECC+PQ less risky than PQ for > > encryption. > > > > * With ECC+PQ signatures, an attacker with a PQ break still has to > > break the ECC signatures. This makes ECC+PQ less risky than PQ for > > signatures. > > The argument forgets that to break ECC+PQ, the attacker has to break > _either_: > > a) ECC and PQ. > b) The hybrid construction. > > The risk from b) is very different for encryption and signatures. > > With encryption, it is small risk because the constructions are simple > and quite resilient to flaws (outside memory safety) in real world. > > But with signatures, the risks become substantial because: > > - Complexity. Some of it to deal with known non-obvious attacks. > - Known unknown attacks. > > Even just the LAMPS composite signature combiner is known to be > cryptographically unsound. Sound signature combiners are in theory > impossible (practical sound signature combiners might exist). > > > > > -Ilari > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
