Re: [Cfrg] [irsg] IRSG review of draft-irtf-cfrg-xmss-hash-based-signatures-08

"A. Huelsing" <> Tue, 20 June 2017 07:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E9D3A1292C5; Tue, 20 Jun 2017 00:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IiHyk92Ydjeo; Tue, 20 Jun 2017 00:59:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E68E8129400; Tue, 20 Jun 2017 00:58:59 -0700 (PDT)
Received: from [] ( by with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from <>) id 1dNE3r-0003q8-6y; Tue, 20 Jun 2017 09:58:55 +0200
Received: from [] by with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <>) id 1dNE3r-0008Gt-0A; Tue, 20 Jun 2017 09:58:55 +0200
To: Stephen Farrell <>, "Paterson, Kenny" <>, Alexey Melnikov <>, "" <>, "" <>
Cc: "" <>
References: <> <> <> <> <> <> <>
From: "A. Huelsing" <>
Message-ID: <>
Date: Tue, 20 Jun 2017 09:58:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-Virus-Scanned: Clear (ClamAV 0.99.2/23490/Tue Jun 20 06:14:12 2017)
Archived-At: <>
Subject: Re: [Cfrg] [irsg] IRSG review of draft-irtf-cfrg-xmss-hash-based-signatures-08
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Jun 2017 07:59:03 -0000


thanks a lot for your review Stephen.

Let me comment on the parameter criticism. There is a crucial difference between
XMSS and "traditional" signature schemes which influenced our decision.
Unlike "traditional" signature schemes, XMSS (and all other Merkle-tree based,
stateful schemes) the number of signatures one can generate using a key pair
is controlled by the parameter h, the total tree hight, which also influences
performance significantly (increasing h increases number of signatures but makes
the scheme slower and signatures larger).

What we tried to do was to reduce all parameters that really influence
implementations (used hash function, hash function output length, Winternitz
parameter) to a single mandatory parameter set (SHA2-256, 256, 16). This also
fixes a single security level of 256 bit classical / 128 bit quantum. We only
gave different mandatory options for the total tree height and - for XMSS^MT -
different options for the number of layers d which controls the height of trees
in a hypertree. I am not aware of an implementation that really relies on these
two parameters being fixed. Low-level optimized implementations are rather
vectorizing the hash-function implementation as there is not too much
exploitable parallelism in the signature and verification algorithm as most
operations are sequential (different story for stateless schemes).

Now the selection really depends on what are your requirements, i.e., how many
signatures should be possible with one key pair. I agree that we should support
this highlighting the number of signatures as well as the signature size for
each of these parameter sets.

Finally, regarding the test vectors: I think it makes more sense to think of
hash-based signatures as a protocol rather than a basic primitive. We have
cross-verified reference implementations available. Is there an option to
provide an implementation instead of test vectors? Then developers can test
their implementation by verifying their signatures with the reference code and
check their verification algorithm with signatures from the reference
implementation. I am happy to add test cases (we already got those from the
cross testing).

What do you think?


Am 19-06-17 um 18:48 schrieb Stephen Farrell:
> Hiya,
> On 19/06/17 17:37, Paterson, Kenny wrote:
>> @Stephen: thanks for making this thorough study of the draft.
>> @draft authors: can you please go through this feedback carefully and
>> implement the necessary changes?
>> The toughest part will likely be selecting one set of parameters. If
>> Stephen is amenable (but maybe he is not), I'd suggest highlighting one
>> set amongst the several listed as being your "preferred" set (rather than
>> including just one set as Stephen suggests) - that'd be a halfway house
>> between what you currently have and what Stephen suggests.
> I'm always amenable:-)
> For me, the key thing is to avoid folks using the RFC feeling
> the need to debate which set(s) of parameters to choose to use.
> Such debates are really wasteful, so reducing the set to the
> minimum is very helpful. If there's really a need for loads
> of parameters to be defined, (and I don't think there is for
> this), then that creates a need to explain when to use which,
> in sufficient detail for developers.
> So I do think it's easier to just delete options, and since
> there's an IANA registry, if it turns out more variants are
> needed later then those can be added as needed. So, absent
> someone saying that they need loads of options for their code,
> I'd say just one XMSS and one XMSS^MT option would be best.
> Cheers,
> S.
>> Cheers,
>> Kenny 
>> On 16/06/2017 01:56, "Stephen Farrell" <> wrote:
>>> Hi all,
>>> Apologies for being slow in reviewing this. My comments are below.
>>> I have two things that I think really ought be checked before this
>>> is ready for publication. When that's done, then I think this will
>>> be ready to publish.
>>> I also have two further comments/suggestions that I think would
>>> be significant and relatively easy improvements to the document.
>>> Those don't affect the IRSG review process though, considering the
>>> RG were presumably happy enough as-is. (I'd still argue for those
>>> changes though:-)
>>> And I've a bunch of mostly editorial comments that the authors can
>>> choose to take on board or not as they see fit.
>>> Cheers,
>>> S.
>>> possible errors:
>>> ----------------
>>> - 3.1.2: Algorithm 2: "if ( (i + s) > w - 1 )..." seems to be
>>> missing parenthesis around the "(w-1)" to me.  Without those
>>> brackets I could interpret that test to always result in false.
>>> - 4.1.9: should the call to setIdx in alg 12 be after treeSig?
>>>  as-is you seem to have incremented the index too soon so
>>> that when alg 11 does getIdx it'd presumably get the
>>> incremented index and cause verification failure. I think
>>> the same is true of alg 16 as well, in section 4.2.4.
>>> significant comments, but likely fixable:
>>> -----------------------------------------
>>> - section 5: there are waaaay too many options defined here.
>>>  As-is, this will damage potential deployment of xmss. I
>>> would strongly suggest deleting all of the options except the
>>> minimum, that being one (and only one) set of parameters for
>>> XMSS and one for XMSS^MT. If others are needed later, those
>>> can be defined later. (Note that the damage done here includes
>>> the hours of developer time that would be wasted debating
>>> which of these choices to implement/use. Consider the case of
>>> pre-hash variants of eddsa for an ongoing example.)
>>> - section 5 (or an appendix) should contain some test vectors
>>>  (including intermediate values). Without those, implementers
>>> have a much harder time of getting their code right.
>>> nits, near-nits and other ignorable things:
>>> -------------------------------------------
>>> - abstract: I'd suggest s/can withstand attacks/ can withstand
>>>  so-far known attacks/
>>> - 1.1: You say if used >1 time "no cryptographic security
>>>  guarantees remain." It might be clearer to give some
>>> examples of consequences, e.g. that the attacker can forge new
>>> signatures or whatever.
>>> - 1.1: I think you might mention that XMSS and other OTS ideas
>>>  require some new crypto APIs. I'm not aware if anyone has
>>> developed proposals for such, but would be interested if
>>> someone has.
>>> - 2.3, 2nd last para: you might want to say what happens with
>>>  e.g.  B<<2 where B=0xf0. I assume the result is 0xc0 but
>>> someone might think it's 0x3c0 or even 0xc3.
>>> - 2.5: having the "type word" as octet 15 of a 32 byte address
>>>  seems odd. Is there a reason why? (Just wondering.)
>>> - 2.6: It seems odd to given an example where the input and
>>>  output of base_w() are the same. A different example may be
>>> more useful. (More examples generally would be great.)
>>> - 3.1.3: maybe note that "/" means nothing? Which I assume it
>>>  does? Better might be to just say that.
>>> - 3.1.5: "a maximum value of len_1 * (w - 1) * 2^8" is missing
>>>  units
>>> - 3.1.5: "the variable" - which one?
>>> - 3.1.5: "For the parameter sets given in Section 5 a 32-bit
>>>  unsigned integer is sufficient." Sufficient for what?
>>> - 3.1.5: The ascii art at the end of p16 doesn't help much.
>>> - 3.1.7: The "MUST match" statement doesn't seem enforceable
>>>  nor testable so I'm not sure it's a good idea to include.
>>> OTOH, I do get the idea of using 2119 terms for emphasis.
>>> - 3.1.7: I think it might be useful to point out any specific
>>>  problems associated with using a low entropy human memorable
>>> secret (password) for the value S. No matter what you say,
>>> people will do that, so better if you can say you told them
>>> specifically about downsides of doing that.
>>> - 4.1.12: I'm not sure if the MAY there is correct or not.  If
>>>  it means "you MAY use a different algorithm to get the same
>>> output as alg 12" then that'd be fine. If something else is
>>> meant I'm not sure what you're saying, and it'd probably be
>>> better to not even mention it.
>>> - section 5 should also spell out the signature and
>>> public key sizes in bytes and ideally, if you keep multiple
>>> options, (but please don't:-) describe relative or measured
>>> timings.