IETF Logo Mail Archive

[lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)

Mike Ounsworth <ounsworth+ietf@gmail.com> Wed, 24 September 2025 15:39 UTC

Return-Path: <ounsworth@gmail.com>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 64DDD68265C5 for <spasm@mail2.ietf.org>; Wed, 24 Sep 2025 08:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSwK4XgH1NND for <spasm@mail2.ietf.org>; Wed, 24 Sep 2025 08:39:10 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1198368263A1 for <spasm@ietf.org>; Wed, 24 Sep 2025 08:38:09 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-88cdb27571eso1090539f.0 for <spasm@ietf.org>; Wed, 24 Sep 2025 08:38:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1758728288; x=1759333088; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7WliU96VBgQIBKqv720Y8qMjx1W9x11CcmigewvTuWA=; b=DinOAWgnirCMztcRx3F88mlExK05N6JUsPqiRPIDJ21woEb8YQWE7sZl+rO5auhUTA Khy4ehEN5TSbwnKIO4b00TXZdS0e0UzYwZq3MrmazhOSN2Nbp+M2WWGz1B1LSRckIOWG 1mNsX72aofj3oZIN1QdB554mRksOgDirOwI20vlP5lkGgaClzJ1WwazYVsiACChIUb2M Wh8KOHJ9tBE2gmbTRRonwH5evg1uDwyR7S0FlL/w9aRMMDpK4WtK0AR9XJ4lmd1HWTY6 t7rxnIvke8CIhuTvrhDgelpSbhh2EJ8qIj/9t5VHNdhR0lHLgAzii4nEo9B6BUkf9F6z PS5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758728288; x=1759333088; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7WliU96VBgQIBKqv720Y8qMjx1W9x11CcmigewvTuWA=; b=Ph1HGP4C3lWBu4I5TaY7REeBK5xSsnGZrWpf0ebr3hhqdJFL4CLBHf4HDvlpwN+Pyd C3rIOtc6noAX4ehHhQFh2lI6+Br0OIrzCkBa/TMTKE04ph6KKd+nfddiBBIalUQ3z21c 2TWgR9zhXRcvQL6jQBixtfUNDvYpPw/Qtt+yEyRgITucg2wtBqg9UfXTP4U+zqIXEBPf WuwRUawSRv1PKycv7lGdPCqtf5RNPPKBu9D2RI5XebeDgfA9MiEkqvIH8BOHjL5l9ww5 6DHCpeffZATL0eus6kmxMx2/UMrMrS+XmtiN2XROfxBcmW5K/2WfVk2g9ftjyDz44980 lslw==
X-Forwarded-Encrypted: i=1; AJvYcCWJcp0+ZpgMx+wuVd47jTauwg82UPBBCKPVukftaLoQNtT00mnNHGz+ezCCReFB2aBTYjYTRQ==@ietf.org
X-Gm-Message-State: AOJu0YwNInq9S4f2Yvb8Amy5K6qZJPNfCz5BUyPiITHs7D9q16kcAtaQ lBl6nVi2FmFjXTFB1F5i9zKpaScRSWII3B8R80JMjU0Ca6fy28KUGWweTAnmQJPbFDa+nxf39+A ehUK6rvfye/JV7mRmAc1FsG+B0C0Oy5s=
X-Gm-Gg: ASbGnctLZK1H53q1o+b8OOhsaMc/0CyhZUAAYlH3ySZV9r+hd/pa+zV1xGPeiXeQna1 tHagZESEqDPpGFeE/ZTz6XvhF1l7Rh/JL3apmdHzciIuPiIa8yAoNY7ENs6aVC16ea9j9Mw6+4Q SGsiUAqX+hf8A3KK0+Cd0ZY0+YmLlq9xHxl7Lmh5kg66LoK5SK6d1nT4r7RunehoyOaFhEYrlNN G1d3hgb3wdqZ6RKetBn
X-Google-Smtp-Source: AGHT+IFWp55zQP4pXscrdV7AHsKakA6n7b9dZxJ1PcQBYMtNmJ87Hf5Lix/xZxUVfK30JMxYi3D7P1BA+aHhEwt7wpU=
X-Received: by 2002:a05:6e02:12e5:b0:424:6c8e:616d with SMTP id e9e14a558f8ab-425955e8303mr741155ab.11.1758728288067; Wed, 24 Sep 2025 08:38:08 -0700 (PDT)
MIME-Version: 1.0
References: <175855620751.648048.16646357165291761730@dt-datatracker-6c6cdf7f94-h6rnn> <88B43AFC-A176-4125-93D0-2A724D6603C4@vigilsec.com> <LO2P123MB70512155059C90E0339F1190BC1CA@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <CAKZgXHoGHc8Cjr1kFC9E4dTu1Lyfc0m0nNeHEb3Vn5kaH61E7w@mail.gmail.com> <27d6772f-f48d-4f90-b0bc-cfa5216ba367@mtg.de> <LO2P123MB7051C16988AE31502904D453BC1CA@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO2P123MB7051C16988AE31502904D453BC1CA@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
From: Mike Ounsworth <ounsworth+ietf@gmail.com>
Date: Wed, 24 Sep 2025 10:37:55 -0500
X-Gm-Features: AS18NWBlaeZBNSXRLMdThBAEZ29lLVOH3DpE46hr6KSbfti8_K8NcSGWrIi1378
Message-ID: <CAKZgXHqnOvjMGPApd1zMr1qDwYsG65_JoH8Wj4xVav0_d8tdiQ@mail.gmail.com>
To: Peter C <Peter.C@ncsc.gov.uk>
Content-Type: multipart/alternative; boundary="000000000000dde9e3063f8dd6bd"
Message-ID-Hash: OJP2YPY4N52AARUXBTTX557X5JT7QHN5
X-Message-ID-Hash: OJP2YPY4N52AARUXBTTX557X5JT7QHN5
X-MailFrom: ounsworth@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, John Mattsson <john.mattsson@ericsson.com>, Russ Housley <housley@vigilsec.com>, "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-pq-composite-sigs@ietf.org" <draft-ietf-lamps-pq-composite-sigs@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/wgEt4XH0kxnxXrgvXxx0DqNrNlM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Hi Peter,

Can you give me some pointers about what you would like those extended
security considerations should say? Better yet, if you open a github issue
with the details, you'd be my best friend!

https://github.com/lamps-wg/draft-composite-sigs/issues

On Wed, 24 Sept 2025 at 10:35, Peter C <Peter.C@ncsc.gov.uk> wrote:

> Falko,
>
>
>
> Thanks.  I think it would be useful to extend the security considerations
> to include a discussion of the security of the composite construction in
> the context of X.509 certificates and CRLs.
>
>
>
> Peter
>
>
>
> *From:* Falko Strenzke <falko.strenzke@mtg.de>
> *Sent:* 24 September 2025 15:34
> *To:* Mike Ounsworth <ounsworth+ietf@gmail.com>; Peter C <
> Peter.C@ncsc.gov.uk>; John Mattsson <john.mattsson@ericsson.com>
> *Cc:* Russ Housley <housley@vigilsec.com>; spasm@ietf.org;
> draft-ietf-lamps-pq-composite-sigs@ietf.org; lamps-chairs@ietf.org
> *Subject:* Re: [lamps] Re: WG Last Call:
> draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
>
>
>
> In this context I want to contribute the following observations:
>
> ## Strong Non-Separability for X.509 and CMS
>
> I claim that Strong Non-Separability (SNS) is naturally fulfilled for
> X.509 certificates and CRLs by a straightforward parallel combiner. This is
> due to the fact that both these data structures contain the signature
> algorithm identifier within the signed data. RFC 5280 requires these
> signature algorithm identifiers within  the signed data to be equal to
> their copy outside the signed data [1]. This means that a stripping attack
> is naturally prevented since removing one signature requires changing the
> signed algorithm identifier and thus invalidates the remaining signature.
>
> It should be noted that the chosen construction in the draft thus, for the
> case of X.509 when component keys are reused as standalone keys,
> unnecessarily weakens the security features since an attacker can, through
> a stripping attack, produce new validly signed artifacts, namely by
> rendering the signed data as M'. This amounts to a violation of EUF-CMA
> under consideration of cross-algorithm attacks (composite and component
> algorithm). Whereas the straightforward parallel combiner doesn't allow
> this or any other kind of stripping attack.
>
> For CMS the case is different, as there is no mechanism that naturally
> prevents stripping attacks. Here it would be possible to achieve SNS by
> specifying a new Signed Attribute that contains the signature algorithm
> identifier and is made a mandatory Signed Attribute in a protocol.
>
> ## Preservation of the SUF-CMA property
>
> Regarding the preservation of the SUF-CMA property of both component
> algorithms by the composite algorithm, note that
> - for X.509 certificates, this is fulfilled by the requirement of the
> unique serial number in RFC 5280. As a result, the same data will never be
> signed twice by a legitimate signer. Since the relevant attack works by
> recombining the component signatures of two different composite signatures
> over the *same* data, the attack is not possible.
> - in X.509 CRLs, there is not unnecessarily a unique serial number
> contained. But the thisUpdate field will in all realistic cases differ
> between two CRLs.
>
> Thus for X.509 certificates and CRLs, I argue that preservation of the
> SUF-CMA property is always fulfilled under realistic conditions.
>
> For CMS, the preservation of the SUF-CMA property could be achieved for
> applications that produce signed messages with a frequency in a domain
> sufficiently smaller than 1/s, namely by making the already existing
> *Signing Time* Signed Attribute mandatory. This attribute contains the
> signing time with an accuracy of seconds. Alternatively, to robustly
> achieve this security property, a new *Nonce* Signed Attribute could be
> specified for CMS.
>
>
> I suggest that these observations be taken into account in the security
> considerations. It should become clear why the specific construction was
> chosen despite the fact that it is – according to my arguments above – only
> degrading the security properties of the important X.509 use case.
>
> Falko
>
> [1] RFC 5280. https://www.rfc-editor.org/rfc/rfc5280.html#section-4.1.1.2,
> https://www.rfc-editor.org/rfc/rfc5280.html#section-5.1.1.2
>
> [2] RFC 5652. https://tools.ietf.org/html/rfc5652
>
> Am 24.09.25 um 13:33 schrieb Mike Ounsworth:
>
> Thanks John and Peter C. I agree that without the randomizer, Composite
> ML-DSA does not give SUF in the case of compromise of ML-DSA. I think Peter
> is right that I wrote this text several versions ago when we had a
> randomizer inside the pre-hash PH(r || M), and I think I have not revisited
> this text since. Thank you Peter also for the comment about
> non-separability. I will do a pass over this text and post a new version;
> probably on the weekend.
>
>
>
> https://github.com/lamps-wg/draft-composite-sigs/issues/275
>
>
>
> On Wed, 24 Sept 2025 at 05:12, Peter C <Peter.C=
> 40ncsc.gov.uk@dmarc.ietf.org> wrote:
>
> Hi,
>
>
>
> I had a comment about the non-separability discussion in section 10.2.
> The draft says:
>
>     [W]e want to consider a modified version of the EUF-CMA game
>
>     where the attacker has access to either a signing oracle over the
>
>     two component algorithms in isolation […] and attempts to
>
>     fraudulently present them as a composite, or where the attacker
>
>     has access to a composite signing oracle and then attempts to
>
>     split the signature back into components […].
>
>
>
> The first case (attacker constructing a composite signature from
> individual components) is indistinguishable from the situation where a
> legitimate signer stores the component private keys in separate
> cryptographic modules (as mentioned in section 4.1).  Weak non-separability
> only allows a verifier to detect the second case (attacker splitting a
> composite signature into its individual components).
>
>
>
> I’d suggest re-writing the non-separability discussion so that it only
> considers splitting attacks and perhaps expanding the key reuse section so
> that it is clearer that the risk is from **verifier** reuse of component
> public keys in other contexts.
>
>
>
> Peter
>
>
>
> *From:* Russ Housley <housley@vigilsec.com>
> *Sent:* 22 September 2025 16:52
> *To:* spasm@ietf.org
> *Cc:* draft-ietf-lamps-pq-composite-sigs@ietf.org; lamps-chairs@ietf.org
> *Subject:* [lamps] Re: WG Last Call:
> draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
>
>
>
> As part of this WG Last Call, be aware that this IPR disclosure was
> submitted four years ago:
>
> https://datatracker.ietf.org/ipr/4761/
>
>
>
> Russ
>
>
>
>
>
> On Sep 22, 2025, at 11:50 AM, Russ Housley via Datatracker <
> noreply@ietf.org> wrote:
>
>
>
>
> Subject: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends
> 2025-10-06)
>
> This message starts a 2-week WG Last Call for this document.
>
> Abstract:
>   This document defines combinations of ML-DSA [FIPS.204] in hybrid
>   with traditional algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA,
>   Ed25519, and Ed448.  These combinations are tailored to meet security
>   best practices and regulatory guidelines.  Composite ML-DSA is
>   applicable in any application that uses X.509 or PKIX data structures
>   that accept ML-DSA, but where the operator wants extra protection
>   against breaks or catastrophic bugs in ML-DSA.
>
> File can be retrieved from:
> https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/
>
> Please review and indicate your support or objection to proceed with the
> publication of this document by replying to this email keeping
> spasm@ietf.org
> in copy. Objections should be motivated and suggestions to resolve them are
> highly appreciated.
>
> Authors, and WG participants in general, are reminded again of the
> Intellectual Property Rights (IPR) disclosure obligations described in BCP
> 79
> [1]. Appropriate IPR disclosures required for full conformance with the
> provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of
> any. Sanctions available for application to violators of IETF IPR Policy
> can
> be found at [3].
>
> Thank you.
>
> [1] https://datatracker.ietf.org/doc/bcp78/
> [2] https://datatracker.ietf.org/doc/bcp79/
> [3] https://datatracker.ietf.org/doc/rfc6701/
>
>
>
> _______________________________________________
> Spasm mailing list -- spasm@ietf.org
> To unsubscribe send an email to spasm-leave@ietf.org
>
>
>
> _______________________________________________
>
> Spasm mailing list -- spasm@ietf.org
>
> To unsubscribe send an email to spasm-leave@ietf.org
>
> --
>
> *MTG AG*
> Dr. Falko Strenzke
>
> Phone: +49 6151 8000 24
> E-Mail: falko.strenzke@mtg.de
> Web: mtg.de <https://www.mtg.de>
> ------------------------------
>
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
>
> This email may contain confidential and/or privileged information. If you
> are not the correct recipient or have received this email in error,
> please inform the sender immediately and delete this email.Unauthorised
> copying or distribution of this email is not permitted.
>
> Data protection information: Privacy policy
> <https://www.mtg.de/en/privacy-policy>
>

v2.37.1 | Report a Bug | By Email | System Status