> Since the first three bytes of the SSH protocol signature input are different from the ssh-keygen signature input, the SSH client and ssh-keygen will never produce identical signatures. Therefore, there is no risk of cross-protocol attacks
That's not convincing to me. Does anyone have more details on this?
It does not seem right to me that a signing protocol secure for similar things would necessarily be secure against random things; A LFR over a long sequence seems like it could be different than a single feedback over random space, and sometimes that difference could be important.