ZjQcmQRYFpfptBannerEnd
In the section "B.1 FIPS certification", the draft says:
"algorithm to be [...] considered FIPS-approved even when one of the component algorithms is not"
and then
"overall composite should be considered full strength and thus FIPS-approved"
I think, the "full strength" may be misleading. Also the term is not clearly defined. Hence, it could be understood as "full strength of classical+PQ" and that is opposite to what NIST FAQ [1] says. I.e. let say MLDSA is FIPS-approved in a future, and we create composite with MLDSA-44 + some on-ramp signature that claims level 5. Does it mean the strength of that construct should be considered FIPS-approved with security strength of equal to level 2 or 5?
As this draft is now about creating composite signatures with MLDSA, so do we need B.1? The discussion about FIPS-approved dual signature schemes sounds like a great discussion to have, but in a different place (and ideally on CMUF forum).
My suggestion would be to remove B.1 to avoid spreading potentially misleading information about important topic.
Additional nit:
The abstract says "Composite algorithms are provided which combine ML-DSA with RSA, ECDSA, Ed25519, and Ed448.". Shouldn't it say MLDSA only?
Kris Kwiatkowski
Cryptography Dev
--- Group discussed this and decide to change the following:
change:
overall composite should be considered full strength and thus FIPS-approved"
to
overall composite should be considered at least as strong and thus FIPS-approved"
From: https://github.com/EntrustCorporation/draft-ounsworth-composite-sigs/issues/145
Address Kris's comments:
ZjQcmQRYFpfptBannerEnd In the section "B.1 FIPS certification", the draft says:
"algorithm to be [...] considered FIPS-approved even when one of the component algorithms is not" and then "overall composite should be considered full strength and thus FIPS-approved" I think, the "full strength" may be misleading. Also the term is not clearly defined. Hence, it could be understood as "full strength of classical+PQ" and that is opposite to what NIST FAQ [1] says. I.e. let say MLDSA is FIPS-approved in a future, and we create composite with MLDSA-44 + some on-ramp signature that claims level 5. Does it mean the strength of that construct should be considered FIPS-approved with security strength of equal to level 2 or 5?
As this draft is now about creating composite signatures with MLDSA, so do we need B.1? The discussion about FIPS-approved dual signature schemes sounds like a great discussion to have, but in a different place (and ideally on CMUF forum).
My suggestion would be to remove B.1 to avoid spreading potentially misleading information about important topic.
Additional nit:
The abstract says "Composite algorithms are provided which combine ML-DSA with RSA, ECDSA, Ed25519, and Ed448.". Shouldn't it say MLDSA only?
Kris Kwiatkowski Cryptography Dev
--- Group discussed this and decide to change the following:
change: overall composite should be considered full strength and thus FIPS-approved" to overall composite should be considered at least as strong and thus FIPS-approved"
until FIPS deprecates RSA or EC...