[TLS] Re: Composite ML-DSA

John Mattsson <john.mattsson@ericsson.com> Thu, 04 June 2026 15:40 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BB88CFAF3BD6 for <tls@mail2.ietf.org>; Thu, 4 Jun 2026 08:40:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780587623; bh=KH3t8L28SnPquXlSg5sNxqpmAZwY4YmpEMvS5zU3yRo=; h=From:To:Subject:Date; b=an9tXNZEd/3bRvj/m+390BGeTPndGQv6Veg/4zJ5oN5ej5tLiBSYYsG2miEsByXAi x8cuLI9yGnEXRyNt3ki958QK7FZpWvhBHhRNDgWnGJXDts/oqeC70SkVUb0+1l9JZJ SpOyQ2Q1aZqa4iJxlU3ZuYOEepxn4qOxkbuSr1h0=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mU1Sq3BC7aWZ for <tls@mail2.ietf.org>; Thu, 4 Jun 2026 08:40:22 -0700 (PDT)
Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11011065.outbound.protection.outlook.com [52.101.70.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DA99AFAF2EE2 for <tls@ietf.org>; Thu, 4 Jun 2026 08:35:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uJh6nLqeqqBAaGrTMfX0WYWZhrBFktcFqf31ZeYo/swG4LkHT2hul3eP+0CkXALHOpRDQS1FOZeHelFnUzGYUC72rQZAAyplU3l7K7m/Sn0FH9+Q99JISRtUCABHpU5lmSPcJ4M9yGO2uwlo9yVrTK1f6TE1zgD3MM22ATcQOqkHX6GcBElX4IKi+pYY/tJ4/UlF6JbC1vcVAzcgkWcTZN0tciydjKBNsco4zGwZPNtuF7DDbmHc8y+ANcqgFl4TNkcbQbpEH/fjo+t7ACSLErID6RnZJLvry2FFr6WpRi4G5RP/nK+4Wicj2GusKWkv6Y/2RQLNPaKXOFDchTT1fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8OyKwHeLGOTDj/QJ7DTXicbvI7MmgJostiCd5/LNTmY=; b=A6rAAC1YiOdb4wEy/TolIxHqKFqqjcKzTvyEyOjLCX/U540N8J3/vSLwWKu216R5O/UywQ5NFWpcuRZba6BZ2d0neSRphtrGh9up9Ju7jV7vq+KIrVBmYYBqCgAxvXOD/rPDSkZOlLLV/nm0gJcRJnFIk6vtVnj09DdES14noeiPebE5YSNrF0a051RoeYfuM5X2RN4ZNUIbSJzmPu13m56LmcPCn2Fg6tRnP3IgLcrAv7wGnCV+YUh9+BpreU4AwwD4llEisR3jkWajwDR90VOxw/xn51EkI7QcE57/UjH7heXayvy/aEt4TVyyXCAnGBVaov17qXcE4K6BMoh4tQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8OyKwHeLGOTDj/QJ7DTXicbvI7MmgJostiCd5/LNTmY=; b=q5EqKdWDh4y7XQcUcr9nghR5cNSsYnFh+EymSOMna9zjDJDaMc06ZBwn+C1rLQWH+ll/a2YszkaTsPsj1l6VPOvmSJVlYs95D0HJijMahhQYZDcuBFP5n2bMDkTWrzAFgEGT15fV15yEgIo4PlNExIKrMA7GEt6o7ifBlN4eG+iP1ZTyCwSYGeIak48CIFyzJYYP7B0uYXF+QiUae6vyLD8eWy4wj4+4H0EGp/cTa90LOTUyao72dYndM3Nx7Hi0M2lBMRkLopnpvap4dfNSOQqal+SIT0/xCoLEZfDBRmpoHnEDsU3dSKP21WTkDJRXkCKE7OZL674XnH/d5lpr9g==
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com (2603:10a6:20b:4f3::15) by VI1PR07MB9897.eurprd07.prod.outlook.com (2603:10a6:800:1d1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Thu, 4 Jun 2026 15:35:23 +0000
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174]) by AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174%6]) with mapi id 15.21.0092.006; Thu, 4 Jun 2026 15:35:23 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Falko Strenzke <falko.strenzke@mtg.de>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Re: Composite ML-DSA
Thread-Index: AQHc9DaCBvJvmdKmAk+9uV4dOfqXUA==
Date: Thu, 04 Jun 2026 15:35:23 +0000
Message-ID: <AS4PR07MB8825CD4A00CD21243F62A1DA89102@AS4PR07MB8825.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8825:EE_|VI1PR07MB9897:EE_
x-ms-office365-filtering-correlation-id: ce58c176-c2d0-4cca-5cf1-08dec24ee4d0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|6049299003|366016|4022899009|376014|4053099003|13003099007|8096899003|18002099003|38070700021|56012099006|11063799006;
x-microsoft-antispam-message-info: N8oqqs1152G6dJ0PDOuJsY0zjOxM+0C9Fst5t6Lomk+CiUGs3GPnN/M27C79rJxiEuYHGv3JrcKFMKbL4D7P/AdVHnKN9Lc1AxHf/M9yN1Tey967duCRigrrflFc5mS5c9098zHBBYStkXmovlNZb9vwnd0EZ9QGOafrIrMqSUpovtw8Yl9sxAlVCjQ+vVytQZRznul7K2WlQ4LQijs/Qdx/d+2qDBpYf8m2XiLzDX394m0tbjZ00KlPLQwwl+hyCwj+dl1BzrNNn8px0d1bqLT5ofF0BWNL/ht7Qs5K13V5vG6ZscUNqUSh/pC0HrOONwtcZYz/AIZlPAoa54+RLoE6ZiREM/72hdUT7jPzhZOcwWv5sRctUz9Ga+/eE7sFmnyNgbXS3UmqD6hxvlBFMPnydVDLsd1JlbtHrKcYf9m18TuKf3Zm2hODPpgtaLRNN6AA16T8nTbsZR3NqQsyq1fUBZ21viXD9vUYTrp//JA6WxjQWZEC7MOELSm4+cTqrD+YPRvs6SG26KKn/Be5KFrhIspRr60y1SfADCfn7A5ajlUKyamyrQYq9tnzqDSUmo+DJLx6YYPJc5xf0Pp4mcyUwGA+BYblE9jwTgFM2C6vbIbpX8YvUgc5iztgl9Rn5KUnX5b7W9HUmW5Nm6RRUA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8825.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(6049299003)(366016)(4022899009)(376014)(4053099003)(13003099007)(8096899003)(18002099003)(38070700021)(56012099006)(11063799006);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 34hVENV9W/C62iFFTj32PuAl8B4WZ4PptE0+y8IkIuh2Nxpl4lNTk/z1x2kdrNOy8Q5bGs228Ko+I7vPoOtKDnfwlCuSdml7l4ivKKvrXNYtA3eub0nIxD2ezy4Hi3wtpqAIFS/Cq3MvapS6K86wWNKky6RmOo4DLcTsxaxEcCmaabsOHW5bdLRaIejlKRIbKWv0+vHJsW1z23YHxWfzNCh+mvju8ih9G0fWIxxxN8vr5oT5U9X4yF4dxEPueqId5s8e1upXCnhaFswbU2ms7Kx1WlPVp08ZibPdxjhb5Sn2joldGrhMNKS/Fpxz0RxzQiCJP/IJEItZX/DPMoSrpqVcfZY58Ji+kGulaEYKLir+OUUAVXIPfg+cKG7lnput7CfnNItITjclSNrxmHaPfeHh70n32nt0UiNkaTpequTcS+mPwHvxNfL7+RdesRbRrDb/eAljPu8FOGzW8n1a1hQ/SkK1aLoTovtuejP4WfzotRNWENOzn99ZkL3Eni0lUYT2jexv29Lt2kvqCulf7Sll+/GaCxKbHskpf+ni9hc8ySLrfaKIakJflRUHfoOgv1xe0K8KQXW5DvXzD0YR+8COpkERnbY1tL7vs0d9h7kEBa8QRW1zZdbqysuZoxc6PzyHzET55hXc7+iQxVKiisEapu+/wz8/tjwvwdXt9KRk8VxrzKbhGe9NFyWTeABgYN7Wf3S0ePezOQcOJOKOQvo4+soZvVKCSnVTl4NA2FF3SypxFlkqJokdGDVLNY9+JU7je3Gbm3tgj2XjbdpFQsBhikzs4UIAcYbO/yFPlsbnRPsNIdgtU/U4FXm/wfkd5fv+GNTw2rNg+W1urNXS98WvkNfi/QwnBQ5olbYuCRH9/+KvuA5Zapu2KKzV/f1WDtQcNxBhRvzKGJdNHYMLXiEFPa+f2D2H6RN5fOausHaXzfYCWNLOWQyPg2YoGV9xAeyWvMYpcwucePjYmCvIzGeTKOvakvLZWg0wjV0DQu5wQsRbz5e0q9VFQJc75iBqb77pcocJp1PWYTNy7X1wnTV8xPHOWv1fr+Ycz2Ja5ugG5/nY6lOEjW4COKp52nkdw4boeDHt9j5sdHmFZWNCFplE7y4yGxOkO0JgwwRXgtof2BuCEQVgnlWryg+vellJJdT7DJwcoTMTkWeSzenfMe7OXFsRhY3frkMC05baLoTaObdy8RsK8RqQokh0BFRyA6IfRGVUJtwHAb8cyrR8Hx7doa60J0m5RbMKOh4Ev0ls400I0crvsYkAQxoZFRrpdVKYQbhCicjLgIw1QK1MOJpspfQ9Cdq6S9S0BrNxLPE3kGcs/7EPOa30LncLjwiMaIdmBw+Fvw5RzHjUq02bjeaEy+pQASlILdlnZo0uWU2Av4s6N50MlRbHuZdz5Vb6aaP1dHujY9OQ5hcI17D35faw8eEqNN8ra2EQHoI+InMwLJSGSCSDOUHXuPKZDzPBW5luMVHpiSxxJad6lC+Z1CZW9jptWvlXPqSacpZn37coBlEVk7pdo8JysEc4pMCSp/RkIW7lUe7Rb1NeuD+VY8x0so1W1eXsZ8e6ujlzd6dgucxny2ZFVQI1mCeUmwoamLI2rkb/aHqP9PakuK+IMfYgnFm/YL87O3JkEHrZXADUd4yF2mAUZagxeuGFrc6LODgBnLf3hCScE8xIwu5M/J/3ePQuEAUhMu/3citvO4lhyGs1rkru2xLoXOd2i+AoObA9vGn0mqFf3JTIa6rbB0+8AE6GkiEXcfCXiOqlLI4=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_36869F3A-1A7E-2946-AFE4-EDC38CE29439_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ce58c176-c2d0-4cca-5cf1-08dec24ee4d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jun 2026 15:35:23.5043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kwHZ0HqjbLl7Qq7OuI0iXvEEm1KGdIUSzQny8Qj4DC0Cgpo4D7Oq7t3kShSbi1t+5xeru+GlNULSWlTsTTihLdubGdH3WQxJcecgviLDbL4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB9897
Message-ID-Hash: 4ONJACZU7TXUN3EBPVBOIZ5F6VCLVZD3
X-Message-ID-Hash: 4ONJACZU7TXUN3EBPVBOIZ5F6VCLVZD3
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Composite ML-DSA
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SqcgdaAGom_8pjGWrEQ2oMbfWfs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Falko,


Sorry for the late reply; I missed your email. Bernstein kindly reminded me.


>You are addressing the problem of lack of SUF-CMA in regard to signatures of certificates. The discussion here however is about TLS signatures.


I don't think that is correct, the discussion here is to quote draft-reddy-tls-composite-mldsa: "authentication in TLS 1.3 via the "signature_algorithms" and "signature_algorithms_cert" extensions"


>The case for certification path validation is already 
>settled by defining ML-DSA-composite signatures for X.509. Once the RFC 
>is out, this automatically applies to path validation in all X.509 
>contexts, including TLS.


That is not correct. The TLS WG and TLS libraries are not required to support everything defined in the ITU-T X.509 ecosystem, including new cryptographic algorithms designed by LAMPS. And without registration in the TLS SignatureScheme registry, support for ML-DSA composite signatures in TLS certificate chains cannot be negotiated.


>So what would be relevant for the discussion at hand are only SUF-CMA 
>concerns with regard to TLS signatures, i.e. TLS server and client 
>certificates featuring composite keys. If there was such a problem, I 
>assume this should already be a known with regard to ECDSA.


I disagree with that. draft-reddy-tls-composite-mldsa proposes registering algorithms for use in signature_algorithms_cert, so certificates are very much relevant to this discussion. Furthermore, since one stated objective of draft-reddy-tls-composite-mldsa is to address implementation issues in ML-DSA, it is equally relevant to examine whether it may introduce implementation issues in TLS systems. The vulnerabilities I describe also apply to ECDSA. In my view, standardizing ECDSA with a malleability vulnerability was a mistake that should not be repeated. NIST, which standardized ECDSA, seems to agrees with that. In [1] NIST writes:


"all of NIST’s current and planned PQC standards for general-purpose signatures — target the more robust security definition of strong unforgeability with respect to an adaptive chosen message attack (SUF-CMA)."


Cheers,
John Preuß Mattsson


[1] https://nvlpubs.nist.gov/nistpubs/ir/2026/NIST.IR.8610.pdf <2a32f25a-0e43-44e1-b12e-bdb4839fdc1a>



From: Falko Strenzke <falko.strenzke@mtg.de>
Date: Friday, 17 April 2026 at 12:46
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>; TLS List <tls@ietf.org>
Subject: [TLS] Re: Composite ML-DSA



Hi John,
Am 16.04.26 um 19:31 schrieb John Mattsson:

Hi, 


While I recommend everybody to use X25519MLKEM768, I do not think TLS should work on hybrid authentication. If hybrid authentication is nevertheless worked on, the composite signatures in draft-reddy-tls-composite-mldsa seem like the least suitable approach.


Work on hybrid signatures in 2026 is a distraction delaying the urgent migration to PQC signatures, particularly for PKI and long-lived devices. I see little justification for placing less trust in ML-DSA than in RSA or ECDSA (EdDSA is a good algorithm but is not widely used in TLS). In fact, the sooner RSA and ECDSA can be replaced by ML-DSA or SLH-DSA, the better. For those not yet ready to adopt ML-DSA, standalone SLH-DSA is the way to go.
SLH-DSA doubles the signature size of public-key+signature for the lowest security level compared to ML-DSA. For the higher two levels it gets much worse. This is the reason why composites are relevant: if using them with ECC signatures, they have no measurable effect on the signature size compared to ML-DSA. 


All modern signature schemes (RSA-PSS, EdDSA, LMS, XMSS, ML-DSA, SLH-DSA, FN-DSA) avoid trivial attacks on strong unforgeability and provide a high level of SUF-CMA security. I do not think TLS should introduce any new weak signature algorithms such as draft-reddy-tls-composite-mldsa. draft-reddy-tls-composite-mldsa goes against the principle in both US SP 800-227 and EU Roadmap for transition to PQC which states that hybrids should preserve the security properties of its components. The new cryptographic algorithms in draft-reddy-tls-composite-mldsa (which has not been vetted by CFRG) significantly weakens the security properties of ML-DSA as they introduce trivial attacks on strong unforgeability. 


With the algorithms in draft-reddy-tls-composite-mldsa, a CA does not issue a single certificate; instead, it issues a set of valid certificates, each with its own fingerprint. This has practical consequences for TLS. Logging, SIEM, and threat intelligence systems often record events such as “Observed certificate fingerprint X connecting to service Y,” implicitly treating the fingerprint as a stable identifier. Similarly, blocklists often operate on fingerprints (e.g., “Block fingerprint X”), and incident response workflows often rely on fingerprints as unique identifiers when searching for the attacker across datasets. In the presence of trivial attacks on strong unforgeability, these assumptions break down, as the same underlying certificate can appear under many fingerprints. I think standardizing ECDSA with trivial attacks on strong unforgeability was a big mistake that should not be repeated.
You are addressing the problem of lack of SUF-CMA in regard to signatures of certificates. The discussion here however is about TLS signatures. The case for certification path validation is already settled by defining ML-DSA-composite signatures for X.509. Once the RFC is out, this automatically applies to path validation in all X.509 contexts, including TLS.
So what would be relevant for the discussion at hand are only SUF-CMA concerns with regard to TLS signatures, i.e. TLS server and client certificates featuring composite keys. If there was such a problem, I assume this should already be a known with regard to ECDSA.
Falko


Cheers,
John Preuß Mattsson


_______________________________________________ TLS mailing list -- tls@ietf.org <c4fbd7a4-6cd5-4b4c-81b2-ce6be84f3b9a> To unsubscribe send an email to tls-leave@ietf.org <d4ae9b22-3430-4673-b22c-d6176e414a0e> 
--

MTG AG
Dr. Falko Strenzke

Phone:
+49 6151 8000 24

E-Mail:
falko.strenzke@mtg.de <8defc910-7f6b-49a2-9f07-5ca2a460dbf2>

Web:
mtg.de <728f1a6d-c8aa-4170-a028-7a0555144252> 
________________________________________
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted.

Data protection information: Privacy policy <margin-top: 0px; margin-bottom: 0px;>