[TLS] Re: Composite ML-DSA

John Mattsson <john.mattsson@ericsson.com> Thu, 16 April 2026 17:31 UTC

From: John Mattsson <john.mattsson@ericsson.com>
To: TLS List <tls@ietf.org>
Thread-Topic: [TLS] Re: Composite ML-DSA
Thread-Index: AQHczcWfnfWPRqPDq0qvGAgMYbhWoQ==
Date: Thu, 16 Apr 2026 17:31:44 +0000
Message-ID: <AS4PR07MB88250EF7936CDB2163D88C3089232@AS4PR07MB8825.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bbcfATgD3XJORhlH4p2ocYmCY7U11U2Xi1FbC0Ai9bNz1R/0Q8QOPSW9Bsj5vUijIHgc5aPTotMgj2ALTK2r5tcevf30C8dEHVQq1vcTlnvExSF9GoqlEhtjAlLHC23NViLH2v53Iw3LilIvpyhvU3OmMW3anzNOng22BPoJp1Rqb0gMaBnJ2b3zmh53VYMOjmOHbw4EU3L4y0DjmX8L0Ko6v2v64jUHCEXlW8WvokTOQjLQOMXq55wUegzitf8S75YhXOC2prk+J2pb1u4BOYdatACjECk9d7nvPiZwxq6bvhpwzrKFAk+1cFg14BlRRjR0IBj3bddyCHe4pBQAKEPbL3hRMsn+A/5TEPZiq8r86cJKnC+5O1TEvKjcd4WNbCHYRzxwYBC5skWGY2Q9yXOyQm8xXeUHMTrLwK284T6bqYEI9QHt2Tw1dohTE76lbhymd86Sk/YjE5gcEsDKjZADJL23jj9IYXIvZlT25DqWvMq3zTSMbgQ/gyQnFeD+qir+De+F4nZdqtwvBOuRQctpRaA75mONvFmmREycMBX+NlefwNBakYRMiD6NQf/6qlT8s6VPmCxM5KWhkUNPr04YaM9mitbcYojSRMf5ZLoEJ6VKKSC/NzWaSb0nRIsU37uOKM0tSGNSJJZcyz/MBoMr3dW1/DsLQBTvpihYdkzZgF/Xtkll5g1sClbEzacKZKpdOy9UkNt9OUKp0SxGISS0UMxZ8TtGJQZk1Oqf/MQbYDIyeKU/qGI+KHlLSmURMb8CzMhlnbZfPYgnVWeGKCYEyoOmLgDCf4LFDm5smrviLlenlKESv4NVzkGDg4xSCEHBmNQVDwr/39EzxsM8aWlvNEBErjS+4dvyg9+oKeStXKQQBP9nmc2PR5B4jRLYIb8KubG34t2fGt0aw6EZSA2ma6TulYo5KGZNNnDGzW8TRh3MQ6lCNCDlhsxmfctD3uAssJN+Oom2c4SIbX4RrHBs0mkR4qrlex5+0RPtzXK4basPtC/1jnjFAkZsauq+pUmGouUYdACUqmrZW81IYBZHl80I+sTzqgKbLlTnhJXmWlHGcE2qrShw65gumObnsnFLOHty6RWWji9vPP2/ZLBj0zCzGFZflc0RMXBGmnvpx/QoYLUVOh16CJCweei3Fq0hUBgDH0HDp6+QYRH6l4aa6jDm69xjpaXVm5Zfh2IGsQMsrrIwwTyC4E1TIsZx2Efg/PwPv3vBtOlF2Vi5EjZtfYlcW/FWHFh8BygSR0bSCu3zKaCqV6KMeq2RdTzvN4mAwrtvQDBmpLHkIh7P2iLLxOcN69Cxp+edomfe4wojCgeAeTbOTPDsyL1ofX7vkboQF0GN0VZ2/uXjpmC6EtcoycDx0M2yl3kp1f/73L5x7/FpiBbhdd1L0ax4F0ARiQawKCc+JN5Q37C1ZJFbMLL1yNjy8Bh/JLEvBXrSsrlvkKNyf1DXU/sGbg5qnSWEJH64bTzdwL04RJZoodYxZn8UrFRKvd1cKMuZVE8W6DrJpbDbSXSoxXUcLQfv+h4OSdc5B+i7iex1GoEtfKkPHvqaH1lxiNceXfh6lRLZRZD18iteMmUA+xvc26J+Ey4k/7C/1up8pglrLWPFdvlvb/zj1niMSLbkrcb+HQCvgXxzOK9NNayPiVebCkaUevQ4ZFYhcG0B8nSSXH2mmO7AoOX6mRrbLXU2OkXRE0yGzs1B0aYwrT4XRERdiGTIfvNGyQ3LrTuW5xGppDqS48VeBrXnqJRUNY70iQinJQBvlVY=
Content-Type: multipart/alternative; boundary="_000_AS4PR07MB88250EF7936CDB2163D88C3089232AS4PR07MB8825eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 81aa6ddc-1d45-40d6-aa63-08de9bde07d2
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2026 17:31:44.9260 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OSYT2IPJ3yOzmGS1BnVhmKfp6Rpxj+7SlCJo71Q8tI3ZFAwKvLYLeign6gdKU3UYdcNI6C7H8/Qk7FGR5S3C8AqXmfuZ/JbMa5y8L7KE2n0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMBPR07MB10685
Message-ID-Hash: 6UMWMZADS6PRVUUYJ2QUWLAENMNCDKXG
X-Message-ID-Hash: 6UMWMZADS6PRVUUYJ2QUWLAENMNCDKXG
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Composite ML-DSA
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Wo9h9hhKZyqxkjYLDhjFpqvBaoU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

While I recommend everybody to use X25519MLKEM768, I do not think TLS should work on hybrid authentication. If hybrid authentication is nevertheless worked on, the composite signatures in draft-reddy-tls-composite-mldsa seem like the least suitable approach.

Work on hybrid signatures in 2026 is a distraction delaying the urgent migration to PQC signatures, particularly for PKI and long-lived devices. I see little justification for placing less trust in ML-DSA than in RSA or ECDSA (EdDSA is a good algorithm but is not widely used in TLS). In fact, the sooner RSA and ECDSA can be replaced by ML-DSA or SLH-DSA, the better. For those not yet ready to adopt ML-DSA, standalone SLH-DSA is the way to go.

All modern signature schemes (RSA-PSS, EdDSA, LMS, XMSS, ML-DSA, SLH-DSA, FN-DSA) avoid trivial attacks on strong unforgeability and provide a high level of SUF-CMA security. I do not think TLS should introduce any new weak signature algorithms such as draft-reddy-tls-composite-mldsa. draft-reddy-tls-composite-mldsa goes against the principle in both US SP 800-227 and EU Roadmap for transition to PQC which states that hybrids should preserve the security properties of its components. The new cryptographic algorithms in draft-reddy-tls-composite-mldsa (which has not been vetted by CFRG) significantly weakens the security properties of ML-DSA as they introduce trivial attacks on strong unforgeability.

With the algorithms in draft-reddy-tls-composite-mldsa, a CA does not issue a single certificate; instead, it issues a set of valid certificates, each with its own fingerprint. This has practical consequences for TLS. Logging, SIEM, and threat intelligence systems often record events such as “Observed certificate fingerprint X connecting to service Y,” implicitly treating the fingerprint as a stable identifier. Similarly, blocklists often operate on fingerprints (e.g., “Block fingerprint X”), and incident response workflows often rely on fingerprints as unique identifiers when searching for the attacker across datasets. In the presence of trivial attacks on strong unforgeability, these assumptions break down, as the same underlying certificate can appear under many fingerprints. I think standardizing ECDSA with trivial attacks on strong unforgeability was a big mistake that should not be repeated.

Cheers,
John Preuß Mattsson

[TLS] Re: Composite ML-DSA John Mattsson
[TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
[TLS] Working Group Last Call for Use of ML-DSA i… Sean Turner
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Stephen Farrell
[TLS] Re: [EXTERNAL] Working Group Last Call for … Andrei Popov
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Quynh Dang
[TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
[TLS] Re: Working Group Last Call for Use of ML-D… Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Ilari Liusvaara
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Jan Schaumann
[TLS] Re: Working Group Last Call for Use of ML-D… Corey Bonnell
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
[TLS] Re: Working Group Last Call for Use of ML-D… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Marc Penninga
[TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
[TLS] Re: Working Group Last Call for Use of ML-D… Martin Thomson
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Joshua
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Andrei Popov
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
[TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
[TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
[TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Composite ML-DSA tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
[TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Composite ML-DSA Sean Turner
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Filippo Valsorda
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Tim Hudson
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Composite ML-DSA David Benjamin
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… Joshua
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
[TLS] Re: Working Group Last Call for Use of ML-D… Thom Wiggers
[TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
[TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Andrei Popov
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Nico Williams
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Christopher Patton
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Yaroslav Rosomakho
[TLS] Re: Composite ML-DSA Simon Josefsson
[TLS] Re: Composite ML-DSA Simon Josefsson
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Filippo Valsorda
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Dennis Jackson
[TLS] Re: Composite ML-DSA Dennis Jackson
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Peter C
[TLS] Re: Composite ML-DSA Nadim Kobeissi
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Eric Rescorla
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Composite ML-DSA Nico Williams
[TLS] Re: Composite ML-DSA tim.beckmann
[TLS] Re: Composite ML-DSA Sophie Schmieg
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Yaakov Stein
[TLS] Re: Composite ML-DSA Mike Ounsworth
[TLS] Re: Composite ML-DSA Watson Ladd
[TLS] Re: Composite ML-DSA Mike Ounsworth
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: [EXTERNAL] Re: Composite ML-DSA John Gray
[TLS] Re: Composite ML-DSA Falko Strenzke