> -----Original Message----- > From: [email protected] <[email protected]> > Sent: Saturday, November 23, 2024 3:44 AM > To: [email protected] > Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS > > > But with signatures, the risks become substantial because: > > - Complexity. Some of it to deal with known non-obvious attacks. > - Known unknown attacks. > > Even just the LAMPS composite signature combiner is known to be > cryptographically unsound. Sound signature combiners are in theory > impossible (practical sound signature combiners might exist). >
Can you expound on that? The composite signature combiner is "place the RSA signature here, place the ML-DSA signature there, we're done". Given that the verifier checks both the RSA signature and the ML-DSA signature, I would naively expect that any successful forgery would need to break both. Could you explain what I'm missing? _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
