Responding to my points which you commented on. On 4/19/2026 11:03 PM, Muhammad Usama Sardar wrote: >> - When exporting the private key, exports from each device and concatenate >> the keys (and inverse for import) > > I would expect that exporting private keys will have serious security > concerns, e.g., exporting private keys out of TEE breaks all > guarantees for confidential computing. I would like the design to not > export the private keys -- at least not both. > Key export and interoperable private key format have their use cases (e.g. HSM backup and restore, replication). If TEE is not a use case which benefits from key export, then don't implement key export for the TEE. That shouldn't preclude draft-ietf-lamps-pq-composite-sigs from defining a private key format for the use cases which need it. > >> However, draft-ietf-lamps-pq-composite-sigs says that a component key MUST >> NOT[1] be reused as a standalone key. Implicitly this means that splitting >> the component keys across two devices is a Bad Idea, as one could trivially >> use a component key individually. Hence, Viktor's requirement of a single >> device is the right way to implement it. > That "implicitly" part was not my interpretation of > draft-ietf-lamps-pq-composite-sigs. So I am very lost now. If both > keys are in the same device, then what makes a single key leak and not > the other one? Nothing. I wasn't talking about key leaking. > Without this, I don't find the above property providing much value > (and folks talking about tradeoffs might be thinking this way, or?). > > I really hope I am misunderstanding "device." Is a TEE considered a > single "device" here? Is TPM/HSM also a single "device" here? or is > the system which contains a combination of TEE and TPM/HSM considered > as a "device"? > The point was that if key reuse is forbidden then there shouldn't be a way to reference one of the components of a composite key as a standalone key (via a PKCS#11 token or whatever). Because if there is a way to reference one of the components of a composite key as a standalone key, then inevitably that will be done and non-separability properties will be lost.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
