Ilari, you have stated that:
> Even just the LAMPS composite signature combiner is known to be
> cryptographically unsound
I assume that you're talking about draft-ietf-lamps-pq-composite-sigs-03. If
so, I must ask you to back up that statement, providing either a citation, or a
self-evident explination.
When I look at it, it would appear to me that a generating a forgery against a
valid verifier would require either:
- Finding a collision in the hash function
- Generating a forgery for both ML-DSA and the classical signature
algorithm.
Given that we believe that both of the two are hard problems, it would appear
that the system is cryptographically sound.
In addition, someone could take a valid composite signature and extract the
classical signature, creating an existential forgery for the classical public
key. This is not a practical concern if (as the draft recommends) you never
use that public key in another context. Hence, it is hard to consider this as
an example of cryptographical unsoundness.
If you have any evidence to the contrary, please share it. If you do not have
such evidence, please apologize.
> -----Original Message-----
> From: Scott Fluhrer (sfluhrer) <[email protected]>
> Sent: Saturday, November 23, 2024 8:46 AM
> To: [email protected]; [email protected]
> Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS
>
>
>
> > -----Original Message-----
> > From: [email protected] <[email protected]>
> > Sent: Saturday, November 23, 2024 3:44 AM
> > To: [email protected]
> > Subject: [TLS] Re: [EXT] Re: ML-DSA in TLS
> >
> >
> > But with signatures, the risks become substantial because:
> >
> > - Complexity. Some of it to deal with known non-obvious attacks.
> > - Known unknown attacks.
> >
> > Even just the LAMPS composite signature combiner is known to be
> > cryptographically unsound. Sound signature combiners are in theory
> > impossible (practical sound signature combiners might exist).
> >
>
> Can you expound on that? The composite signature combiner is "place the
> RSA signature here, place the ML-DSA signature there, we're done".
>
> Given that the verifier checks both the RSA signature and the ML-DSA
> signature, I would naively expect that any successful forgery would need to
> break both.
>
> Could you explain what I'm missing?
>
>
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
