[TLS] Re: Composite ML-DSA

Falko Strenzke <falko.strenzke@mtg.de> Fri, 17 April 2026 10:46 UTC

Message-ID: <da9d1f70-f2fc-4035-a7a4-858e4ad0a07d@mtg.de>
Date: Fri, 17 Apr 2026 12:46:16 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
References: <AS4PR07MB88250EF7936CDB2163D88C3089232@AS4PR07MB8825.eurprd07.prod.outlook.com>
Content-Language: de-DE, en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <AS4PR07MB88250EF7936CDB2163D88C3089232@AS4PR07MB8825.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020801030601090109060207"
Message-ID-Hash: 55RIXCHAXCIALMAHOTJLQRK3O7Q7Z5SI
Precedence: list
Subject: [TLS] Re: Composite ML-DSA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OqDxZ15uLi2sgKdQGoXmtfoptY0>

Hi John,

Am 16.04.26 um 19:31 schrieb John Mattsson:
> Hi,
>
> While I recommend everybody to use X25519MLKEM768, I do not think TLS 
> should work on hybrid authentication. If hybrid authentication is 
> nevertheless worked on, the composite signatures in 
> draft-reddy-tls-composite-mldsa seem like the least suitable approach.
>
> Work on hybrid signatures in 2026 is a distraction delaying the urgent 
> migration to PQC signatures, particularly for PKI and long-lived 
> devices. I see little justification for placing less trust in ML-DSA 
> than in RSA or ECDSA (EdDSA is a good algorithm but is not widely used 
> in TLS). In fact, the sooner RSA and ECDSA can be replaced by ML-DSA 
> or SLH-DSA, the better. For those not yet ready to adopt ML-DSA, 
> standalone SLH-DSA is the way to go.
SLH-DSA doubles the signature size of public-key+signature for the 
lowest security level compared to ML-DSA. For the higher two levels it 
gets much worse. This is the reason why composites are relevant: if 
using them with ECC signatures, they have no measurable effect on the 
signature size compared to ML-DSA.
>
> All modern signature schemes (RSA-PSS, EdDSA, LMS, XMSS, ML-DSA, 
> SLH-DSA, FN-DSA) avoid trivial attacks on strong unforgeability and 
> provide a high level of SUF-CMA security. I do not think TLS should 
> introduce any new weak signature algorithms such as 
> draft-reddy-tls-composite-mldsa. draft-reddy-tls-composite-mldsa goes 
> against the principle in both US SP 800-227 and EU Roadmap for 
> transition to PQC which states that hybrids should preserve the 
> security properties of its components. The new cryptographic 
> algorithms in draft-reddy-tls-composite-mldsa (which has not been 
> vetted by CFRG) significantly weakens the security properties of 
> ML-DSA as they introduce trivial attacks on strong unforgeability.
>
> With the algorithms in draft-reddy-tls-composite-mldsa, a CA does not 
> issue a single certificate; instead, it issues a set of valid 
> certificates, each with its own fingerprint. This has practical 
> consequences for TLS. Logging, SIEM, and threat intelligence systems 
> often record events such as “Observed certificate fingerprint X 
> connecting to service Y,” implicitly treating the fingerprint as a 
> stable identifier. Similarly, blocklists often operate on fingerprints 
> (e.g., “Block fingerprint X”), and incident response workflows often 
> rely on fingerprints as unique identifiers when searching for the 
> attacker across datasets. In the presence of trivial attacks on strong 
> unforgeability, these assumptions break down, as the same underlying 
> certificate can appear under many fingerprints. I think standardizing 
> ECDSA with trivial attacks on strong unforgeability was a big mistake 
> that should not be repeated.

You are addressing the problem of lack of SUF-CMA in regard to 
signatures of certificates. The discussion here however is about TLS 
signatures. The case for certification path validation is already 
settled by defining ML-DSA-composite signatures for X.509. Once the RFC 
is out, this automatically applies to path validation in all X.509 
contexts, including TLS.

So what would be relevant for the discussion at hand are only SUF-CMA 
concerns with regard to TLS signatures, i.e. TLS server and client 
certificates featuring composite keys. If there was such a problem, I 
assume this should already be a known with regard to ECDSA.

Falko

>
> Cheers,
> John Preuß Mattsson
>
> _______________________________________________
> TLS mailing list --tls@ietf.org
> To unsubscribe send an email totls-leave@ietf.org
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

Attachment: smime.p7s

[TLS] Re: Composite ML-DSA John Mattsson
[TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
[TLS] Working Group Last Call for Use of ML-DSA i… Sean Turner
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Stephen Farrell
[TLS] Re: [EXTERNAL] Working Group Last Call for … Andrei Popov
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Quynh Dang
[TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
[TLS] Re: Working Group Last Call for Use of ML-D… Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Ilari Liusvaara
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Jan Schaumann
[TLS] Re: Working Group Last Call for Use of ML-D… Corey Bonnell
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
[TLS] Re: Working Group Last Call for Use of ML-D… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Marc Penninga
[TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
[TLS] Re: Working Group Last Call for Use of ML-D… Martin Thomson
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Joshua
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Andrei Popov
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
[TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
[TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
[TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Composite ML-DSA tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
[TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Composite ML-DSA Sean Turner
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Filippo Valsorda
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Tim Hudson
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Composite ML-DSA David Benjamin
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… Joshua
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
[TLS] Re: Working Group Last Call for Use of ML-D… Thom Wiggers
[TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
[TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Andrei Popov
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Nico Williams
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Christopher Patton
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Yaroslav Rosomakho
[TLS] Re: Composite ML-DSA Simon Josefsson
[TLS] Re: Composite ML-DSA Simon Josefsson
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Filippo Valsorda
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Dennis Jackson
[TLS] Re: Composite ML-DSA Dennis Jackson
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Peter C
[TLS] Re: Composite ML-DSA Nadim Kobeissi
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Eric Rescorla
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Composite ML-DSA Nico Williams
[TLS] Re: Composite ML-DSA tim.beckmann
[TLS] Re: Composite ML-DSA Sophie Schmieg
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Yaakov Stein
[TLS] Re: Composite ML-DSA Mike Ounsworth
[TLS] Re: Composite ML-DSA Watson Ladd
[TLS] Re: Composite ML-DSA Mike Ounsworth
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: [EXTERNAL] Re: Composite ML-DSA John Gray
[TLS] Re: Composite ML-DSA Falko Strenzke

[TLS] Re: Composite ML-DSA

Attachment: smime.p7s