Re: [CFRG] [EXTERNAL] pq firmware signing question
Sophie Schmieg <sschmieg@google.com> Mon, 18 March 2024 18:55 UTC
Return-Path: <sschmieg@google.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FB2C151532 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2024 11:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.606
X-Spam-Level:
X-Spam-Status: No, score=-22.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfg-Is-xowe3 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2024 11:55:34 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E938C14CE39 for <Cfrg@irtf.org>; Mon, 18 Mar 2024 11:55:34 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id a1e0cc1a2514c-7dac7cfbea0so469942241.3 for <Cfrg@irtf.org>; Mon, 18 Mar 2024 11:55:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710788133; x=1711392933; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZZvTIPMqvr0z7zllheaGlJyEt7ZdB6yqbg+m+fM8Ivo=; b=lyOS2bALCgHWA+Bjz/TI+qiafXzsnlV23aFMswrWGK4iX6NN9dpGj/OB+DxCRcPLRn MYxJ1cLlHSshLUW7+Gq7qChwca6WNigh6+mZfJJ/T5hYi9Gti2r/FaBc6uTTmX+npSAU uGKO+o9j18L0lcgM7anv+9rr1GoS3yKa6YDo4xAfep36o/aUerFqJEC4LkJN6SCYPV5P BYTRsnD/p5oJg2gl0688GAxBra1v8oHYISjwh4eHcPP68IQPAi53gvMhsOT1Dh/N7uZM hXg7HjCc6tGF38FlY1A0oVtmgS91psRUJ6jRoU3JPrTnIlAPzUBHwcjcnu9209ye3wWu 6t9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710788133; x=1711392933; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZZvTIPMqvr0z7zllheaGlJyEt7ZdB6yqbg+m+fM8Ivo=; b=nEOUkKpgCPnq9KL9aTP3SeWnIa9ikcka0NfGFgt91B05njaM62oOmo05GZESSe52Xq RloVtkJBOCj335mqCV0YSi1V4+g61CqSrt3uFBrq9LCYI9joXT2DeGFP+vk89vI6XKJI 47n7TUULYZtIrnNDoPg/lNdV7BIpxnliFyLL/34PnL3K3EdPZHSapzyuTYyOXfrlzlDW KmNTrZSMVyQMrYF3YbdcZBdBKwx2RuAPb7a0ICqJduLsjOMC5QwlrbRWRALE2CLdIkXw IuhanfPzfdu9cEg9KAedOGz0B6dLKvBdyBG2XYZ4jAFdm4qfbpzcP7aX5AUUu0tYaNiS EksA==
X-Gm-Message-State: AOJu0Yz7d2VmEWi/MFFEnjl/UzZAhBydc7jWoNbeQhlRNJv2cvgdDbs7 oAjble77v8QNGu5QHZN6LfjR5x2MzpsGLPZYWRumcntpExYQ9ajC+XHQIzDLvhcWL/bd+32X8uB dNcFscPY7+Vz1g/q+h6COkDCTtBNgagi4BYaN
X-Google-Smtp-Source: AGHT+IHIndVu6KliEOa9sazsIWtHxC3nlg98mDzabx49wBs20Di1dKagMjdQiBmdkiHZaPxqHAPZazEYpLbfFWdwIQk=
X-Received: by 2002:a05:6102:358f:b0:474:c475:6cf3 with SMTP id h15-20020a056102358f00b00474c4756cf3mr266634vsu.6.1710788132944; Mon, 18 Mar 2024 11:55:32 -0700 (PDT)
MIME-Version: 1.0
References: <73126498-47c2-4f8a-9425-18a3d9cce22c@cs.tcd.ie> <CH0PR11MB5739FD074FF5337C8E4E3DFB9F2E2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5444D732D1619268DB3353B8C12E2@CH0PR11MB5444.namprd11.prod.outlook.com> <5e573fc4-3d45-4757-9c3d-efda3c273ed1@cs.tcd.ie> <4C91EA88-46C3-4C9F-866C-2BCB56F08333@amongbytes.com> <799a47e0-b469-4a46-ae1f-42d7b4e7c6ec@mtg.de> <GVXPR07MB967870DE329836FA8A80E321892D2@GVXPR07MB9678.eurprd07.prod.outlook.com> <Zfhys2oSTVZz96Ol@LK-Perkele-VII2.locald>
In-Reply-To: <Zfhys2oSTVZz96Ol@LK-Perkele-VII2.locald>
From: Sophie Schmieg <sschmieg@google.com>
Date: Mon, 18 Mar 2024 11:55:19 -0700
Message-ID: <CAEEbLAZOf=tjdgsHGEkMWJ-Ku38=Z9+rMnm02vmd_cQqYA4AHA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000f38ea90613f3e600"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9dUoAEz7xfiLIM5V8uBw_xQOuD0>
Subject: Re: [CFRG] [EXTERNAL] pq firmware signing question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 18:55:38 -0000
The SLH-DSA public key is so small because it is the root of a Merkle tree, with what are essentially other parts of the public key material being part of the signature. While that construction is necessary for SLH-DSA to work, you can do the same transform for any digital signature scheme: If (G, S, V) is a secure signature scheme, and H is a secure cryptographic hash function, then (G', S', V') where if G creates sk as private and H(pk) as public key, G' return the same sk as private key, but H(pk) for the public key. S'(sk, m) is just the concatenation pk || S(sk, m) and V' first verifies that the hash is indeed the hash of the public key and then verifies the signature according to V. If you apply this transform to ML-DSA you get a scheme with the same size for the public key and a slightly shorter signature compared to SLH-DSA. The reason to prefer SLH-DSA, especially for firmware signing, is that the scheme is much more conservative (it has a security reduction to the security of the used hash function), and that it is far simpler to implement in hardware (It is just a bunch of hash function calls, which you need to support for any signature scheme, so you likely already have blocks for it). On Mon, Mar 18, 2024 at 9:58 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Mon, Mar 18, 2024 at 03:45:00PM +0000, John Mattsson wrote: > > > > * The conservative SLH-DSA is security wise quite attractive for > > this use case but the keys are a bit big. My hardware people > > tells me that they want to keep the amount of burned bytes > > small. As ML-DSA is in CNSA 2.0 my feeling is that ML-DSA is > > more commercially available. ML-DSA also have better > > performance and smaller keys. > > It appears that SLH-DSA keys are actually much smaller: > > - CNSA 2.0 ML-DSA has 2592 byte public key. > - AFAICT, SLH-DSA has 64 byte public key. > > It is the SLH-DSA signatures that are much larger than ML-KEM > signatures. However, the retuned sizes below are less than 2.5x the > 4595 byte ML-DSA signature size. > > > > * The private key in trust anchors is typically used a small > > amount of times. SLH-DSA tuned for much less than 2^64 > > signatures is a good fit. The signing speed is almost > > irrelevant. The verification speed is important. > > Looking at recent paper (eprint 2024/018) on retuning > SPHINCS+/SLH-DSA: > > Category I, 1M signatures > > h=18, d=2, a=14, k=12, w=16: Size 4304, cost 968690/762 > > > Category III, 1M signatures: > > h=24, d=3, a=13, k=16, w=16: Size 9648, cost 890349/1477 > > > And 1M signatures seems plenty: To burn through this in a millenia > takes multiple releases per day (which is extremely fast pace, even for > single-layer setup). > > Advantage of using SPHINCS+ retuned to small number of signatures over > stuff like XMSS is that there are no state-tracking problems. > > However, there is certificational problem here: This will hold, but > can we get this certified enough? > > > > > -Ilari > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://mailman.irtf.org/mailman/listinfo/cfrg > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com
- [CFRG] pq firmware signing question Stephen Farrell
- Re: [CFRG] [EXTERNAL] pq firmware signing question Mike Ounsworth
- Re: [CFRG] [EXTERNAL] pq firmware signing question Stephen Farrell
- Re: [CFRG] pq firmware signing question Dr. Pala
- Re: [CFRG] [EXT] Re: [EXTERNAL] pq firmware signi… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXT] Re: [EXTERNAL] pq firmware signi… Orie Steele
- Re: [CFRG] [EXTERNAL] pq firmware signing question Stephen Farrell
- Re: [CFRG] [EXTERNAL] pq firmware signing question Kris Kwiatkowski
- Re: [CFRG] [EXT] Re: [EXTERNAL] pq firmware signi… Scott Fluhrer (sfluhrer)
- Re: [CFRG] [EXTERNAL] pq firmware signing question Scott Fluhrer (sfluhrer)
- Re: [CFRG] [EXTERNAL] pq firmware signing question Falko Strenzke
- Re: [CFRG] [EXTERNAL] pq firmware signing question John Mattsson
- Re: [CFRG] [EXTERNAL] pq firmware signing question Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] pq firmware signing question Sophie Schmieg
- Re: [CFRG] [EXTERNAL] pq firmware signing question Scott Fluhrer (sfluhrer)
- Re: [CFRG] [EXTERNAL] pq firmware signing question Michael StJohns