[IPsec] comment on signature combiner / key reuse in draft-hu-ipsecme-pqt-hybrid-auth-02

Thu, 24 Jul 2025 08:52:30 -0700

I have a comment on the presentation of draft-hu-ipsecme-pqt-hybrid-auth-02 in the session today. On the slides <https://datatracker.ietf.org/meeting/123/materials/slides-123-ipsecme-post-quantum-traditional-hybrid-pki-authentication-in-ikev2-00#page=8> it says that it is intended to allow key-reuse among standalone and composite keys with the currently proposed LAMPS signature combiner <https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs-07.html>. The reason that is given there is that the context parameter that is set should mitigate the security concerns in this case.
I want to raise awareness that the signature combiner that you are using will exhibit a principal signature forgery vulnerability in the scenario where an attacker downgrades the composite key to a traditional-only key. In that case the forged message takes the specific form of the message representative M' in the LAMPS composite sig draft <https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs-07.html#section-3.2-1>. The context parameter that is intended to be used by the authors doesn't prevent this. 


I don't understand enough about IPsec to say whether the described 
downgrade like this is possible. I suggest that the authors verify this.



Generally, I recommend that the authors choose the signature combiner 
based on an evaluation of its security features. Even if it can be ruled 
out that the forged messages are meaningful protocol messages, there 
might be problems when a formal verification of the protocol is 
conducted. I don't think that this combiner is suitable for other 
protocols in general. The mere fact that its use entails further 
security analysis is reason enough to be careful in my view. Possibly, 
using straightforward parallel signatures is the better choice in your case.


Falko

--

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: [email protected]
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde


This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.



Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>





Attachment:
smime.p7s

Description: Kryptografische S/MIME-Signatur


_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to