The bigger problem with both double encryption and PQ/T hybrids is that they cannot meaningfully be compared to addition (+). In fact, it is misleading to speak about “adding” security at all, since the resulting “sum” may actually be weaker than the individual “addends”. Examples of double-encryption constructions that do not behave as one might intuitively expect include two-key double DES (2DES), double encryption with RSA using different keys, and double encryption with the same one-time pad. These examples illustrate that cryptographic composition can behave in highly non-intuitive ways, and that security properties generally do not compose additively.
Cheers, John Preuß Mattsson From: Blumenthal, Uri - 0553 - MITLL <[email protected]> Date: Tuesday, 26 May 2026 at 17:23 To: Brian E Carpenter <[email protected]>; [email protected] <[email protected]> Subject: [TLS] Re: [EXT] Re: [Last-Call] <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC >> That depends on relative difficulty of breaking algorithms. If quantum >> attack against first algorithm is much cheaper than attacking the second >> algorithm, then the second algorithm is the bottleneck and adding the >> first to composite does not improve security. > > Last time I checked, 1000+1 > 1000, which is all I was asserting. If I’d > asserted "breaking two algorithms is always *significantly* harder than > breaking one algorithm", I would have been wrong. You keep ignoring or forgetting that the above “+1” is not free, so one has to evaluate the cost/trouble of adding that “1” against the benefits it’s going to add. For example, nobody argues that if we super-encrypt AES ciphertext with , e.g., ARIA — we’ll increase the overall security. But, for reasons quite obvious, nobody seems willing to add that “+1” to the “1000” that AES already provided.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
