Brian E Carpenter wrote: >Assuming that means "breaking two algorithms is always harder than >breaking one algorithm", that is very hard to argue against, from >my point of view as a crypto ignoramus.
This is, in fact, very easy to argue against. Hybrid schemes can, and demonstrably have, failed in at least two ways: 1. The composition fails to preserve the security properties of its individual components. 2. Implementation bugs prevent the system from achieving the intended hybrid security guarantees. Poorly designed hybrids can actually be easier to attack than any of their constituent components individually. One example is [1], which inherits the malleability weakness of ECDSA, destroys the beyond-unforgeability (BUFF) properties provided by ML-DSA, and introduces an additional independent malleability weakness. As a result, attacking [1] may be easier than attacking either component on its own. We have identified major implementation flaws in two independent hybrid signature solutions that suppliers attempted to sell to us. In both cases, the effective security was reduced to that of the weakest component. For regulatory reasons, it is essential that the traditional component can be removed in the future. Composite hybrids cannot be used for long-term trust anchors, as they create a significant legal and compliance risk. Brian E Carpenter wrote: >It doesn't follow from that we shouldn't document how to apply >PQ-only algorithms, as long as we *also* document and cite >this risk analysis. Security considerations for hybrids would be good, but I don't think they should be in a single algorithms document, and documenting the risks with hybrids is equally if not more important, as it has been mostly overlooked. [1] https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs Cheers, John Preuß Mattsson
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
