Hi, John and all, Have checked with several cryptographers for the necessity of SUF-CAM signatures. Up to now, no example has convinced me that there is any real application where only SUF-CAM signatures, but not EUF-CMA ones, must be used. However, it is indeed true that due to the stronger security of SUF-CAM signatures, the use and management for them in applications shall be simpler.
Here are two specific comments on composite signatures. 1. "Given that the composites only provide EUF-CMA against quantum attackers, ...." This is true but we may need to describe in more detail. In fact, for T/PQ composite signatures, if both T and PQ signatures are SUF-CMA again traditional attackers, their composite will be SUF-CMA again traditional attackers, according to draft-ietf-lamps-pq-composite-sigs-09. For quantum attackers, any T signatures (either EUF-CMA or SUF-CMA against traditional attackers) will be broken, so the 1. 3 ECDSA algorithms with P curves (ESP256, ESP384, ESP512 ) are currently recommended as Yes in the COSE algorithm list, https://www.iana.org/assignments/cose/cose.xhtml. So, it seems that COSE does not require that only SUF-CMA can be used for COSE. Otherwise, all these EUF-CMA secure algorithms should be deprecated. 1. You mentioned "EUF-CMA can lead to significant vulnerabilities such as replay of messages, double billing, double money transactions, double receipts, double contracts, and log/transaction history poisoning." Could you please elaborate for one particular example, say, double billing, why an EUF-CMA secure signature cannot be used? I tried to imagine but did not see why only SUF-CMA ones are needed in such a case. Cheers, Guilin From: John Mattsson <[email protected]> Sent: Thursday, 2 October 2025 10:40 pm To: Orie <[email protected]>; John Mattsson <[email protected]> Cc: Lucas Prabel <[email protected]>; [email protected]; [email protected]; cose <[email protected]> Subject: [COSE] Re: [jose] Re: Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 Hi, For long-lived devices that do not want to use lattice-based signatures, COSE already has registered the hash-based HSS-LMS https://www.rfc-editor.org/rfc/rfc8708.html https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf And SLH-DSA has been WG adopted and algorithms like SLH-DSA-SHAKE-128s https://datatracker.ietf.org/doc/html/draft-ietf-cose-sphincs-plus-05 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf are soon expected to be registered for COSE and JOSE. NIST is also actively working on SLH-DSA with smaller parameter sets https://csrc.nist.gov/csrc/media/presentations/2025/sphincs-smaller-parameter-sets/sphincs-dang_2.2.pdf Given that the composites only provide EUF-CMA against quantum attackers, which is the only type of attacker that should be considered today, I don't think COSE/JOSE should work on this. All signatures standardized by NIST and IETF in the last 20 years (EdDSA, LMS, XMSS, ML-DSA, SLH-DSA) are SUF-CMA (for very good reasons). EUF-CMA can lead to significant vulnerabilities such as replay of messages, double billing, double money transactions, double receipts, double contracts, and log/transaction history poisoning. SUF-CMA vs EUF-CMA is not a theoretic consideration; it is very much a real-world problem. COSE and JOSE are used in a wide variety of use cases. And we know that many/most developers will assume that all signatures are SUF-CMA. I think SLH-DSA, LMS, and XMSS are all better options than EUF-CMA composites. Cheers, John Preuss Mattsson (As an individual) From: Orie <[email protected]<mailto:[email protected]>> Date: Thursday, 2 October 2025 at 15:10 To: John Mattsson <[email protected]<mailto:[email protected]>> Cc: Lucas Prabel <[email protected]<mailto:[email protected]>>, [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>, [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>, cose <[email protected]<mailto:[email protected]>> Subject: Re: [jose] Re: Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 Hi, Adding COSE because of the draft title. I think composite signatures for JOSE & COSE do not make a lot of sense for the common cases of short lived access tokens. For longer lived identity credentials they might make sense, especially if you are shipping hardware with no ability to upgrade that is going to speak COSE, perhaps in long lived smart building IoT scenarios? I would tend to wait for TLS / LAMPs (to successfully adopt documents) and align with them. OS On Thu, Oct 2, 2025 at 5:17 AM John Mattsson <[email protected]<mailto:[email protected]>> wrote: Dear Lucas, My recollection is that the draft was presented at IETF 121 where several people stated that they did not think JOSE should work on composite signatures. At IETF 123 the draft almost did not get any time and there were no discussion. I am sorry that the chairs did not do their AP to "Chairs will send an email soliciting comments on whether we are ready to do a call for adoption." Good that you did. I notice that TLS WG at IETF 123 seems to have decided to not work on composites at this point in time. https://datatracker.ietf.org/meeting/123/materials/slides-123-tls-wg-status-00 The chairs would like to hear the current opinion of the working group. Cheers, John From: Lucas Prabel <[email protected]<mailto:[email protected]>> Date: Thursday, 2 October 2025 at 10:06 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [jose] Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 Dear JOSE WG, I am one of the co-authors of the individual draft draft-prabel-jose-pq-composite-sigs-04 (draft-prabel-jose-pq-composite-sigs-04 - PQ/T Hybrid Composite Signatures for JOSE and COSE<https://datatracker.ietf.org/doc/draft-prabel-jose-pq-composite-sigs/04/>). The draft has been presented in two IETF meetings, including IETF 123 in July. We have addressed the feedback received both on the mailing list and onsite during the sessions. The draft is also aligned with related work in other groups, in particular the COSE draft on ML-DSA and the LAMPS draft on composite signatures. We believe the document is in a good state to serve as a starting point for further work within the JOSE WG. Therefore, we would like to ask the chairs to consider issuing a Call for Adoption. We also welcome further comments and feedback on the draft from the working group. Best regards, Lucas _______________________________________________ jose mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
