IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sat, 23 July 2016 18:19 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C9EC12D664 for <cfrg@ietfa.amsl.com>; Sat, 23 Jul 2016 11:19:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2bsLRvduR15 for <cfrg@ietfa.amsl.com>; Sat, 23 Jul 2016 11:19:37 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0041.outbound.protection.outlook.com [104.47.1.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33D4912D576 for <cfrg@irtf.org>; Sat, 23 Jul 2016 11:19:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=elyIApiRy9KJoq6n8Fwk2vA7fRvjhnPFB7e37WPKra0=; b=OQetY81US5a40KXUvPPYcycR8YtMNcAJyK4DJSwOVGgZEtzVwA9o5TulgWlEBFGY7Go4dGCzm7jcDnM+c7ZJPwy/I2KxXTrDrzV8x43+2Ic8VsuGAbT0sx9NUP8UOxvNbYzpFe2OgWUdq8sww/PWseGpxbRjqSbBOARn87/X5rU=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1824.eurprd03.prod.outlook.com (10.166.42.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.10; Sat, 23 Jul 2016 18:19:32 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0544.018; Sat, 23 Jul 2016 18:19:32 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
Thread-Index: AQHR15UYqNPamwit8kua06Zbbm7UcKALfSwAgBrD+ICAAAc9AIAAN3WA
Date: Sat, 23 Jul 2016 18:19:32 +0000
Message-ID: <D3B9743A.71997%kenny.paterson@rhul.ac.uk>
References: <20160706144508.25995.18605.idtracker@ietfa.amsl.com> <577D1B6E.1020506@huelsing.net> <D3B93AC9.7187E%kenny.paterson@rhul.ac.uk> <CACsn0cn-tpMnLjYFH7a6NT8N3tbYob2W=CCycXRwhTn=3J7e4Q@mail.gmail.com>
In-Reply-To: <CACsn0cn-tpMnLjYFH7a6NT8N3tbYob2W=CCycXRwhTn=3J7e4Q@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [78.146.50.187]
x-ms-office365-filtering-correlation-id: 0f2bd0d1-4f18-44e4-177b-08d3b325e4e0
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1824; 6:U0mqZwZs/ZhK4nS03aa8NwFfr7ZhxKttrE7YhGSHkub0wln+ndyfzaMeRke5tJFGCXf2/KdIHylBXU+PCoTDT9pyVUiHUvsn11hOk9F0bx6cxut+lMxGxfVYdOgkQqC1FEPrI0mz0tgZzqfde+gupO1PzD/0o1ZlYmiR6er4VwSnjr4wAleTiosLmBLaHQ1PrBwVxy4EGRjLb4IAV6Jc7zzLyocxcbEhMYjJ9usV/FjLx8RBLYPDTYQ0pcJCCFbfPG7OpWtfmDhZc6pakGrLCrXau0USswpZFBeE4L52JU0=; 5:Rm/84buNP8vjY5mKyB0w+sxDkdlN4Rbz98cNfqehsHrPfllIbl4207oiYcDOjrxR6ZseH7Guq6plFYOKsldv09JXBf8xoBrUY0xbtJQuJ39/KaviVQbA1CWExEs52I1DamMKNarLSvVAsHUOHD7lwA==; 24:uC0KfdoI67iEsCqhQIiS0vloq9MQ5QNwlTTup3zsZOSW4sEplDWcSgMWOilGC+/xfBDlObyfVSIzBS4aU7x1FKurUQDSwOHPsmu8AdG8PeQ=; 7:6wMpA3fewgSfWVLdzNGyqLJcrZlOZbZlrQb1NpSrkKl5aeVsSJmmkhUdsLTxT7PoHWPQc5C7g4F0korPL4QEFqdrtT/nd/C00faMB50kHn/SCu2++PZlVsf33agxYmby/miwwArC0hJgHcfX3A1HQTg07xNGqh7RE97DVBwkHzUHwIku7Y/uqSPb5X/XBx5CiVigGjRAQeYUU5QaQ8AVjWvET8x+xygrbBfwburX9c0IlXYHcWNXfR++NYWeFu5y
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1824;
x-microsoft-antispam-prvs: <VI1PR03MB1824AC6C16C05C0DC818D8FBBC0B0@VI1PR03MB1824.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(100405760836317)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:VI1PR03MB1824; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1824;
x-forefront-prvs: 0012E6D357
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(24454002)(199003)(377424004)(189002)(377454003)(105586002)(7736002)(10400500002)(7846002)(305945005)(189998001)(122556002)(2900100001)(106116001)(8676002)(110136002)(4001350100001)(106356001)(586003)(36756003)(101416001)(66066001)(561944003)(230783001)(11100500001)(6116002)(1411001)(68196006)(83506001)(76176999)(74482002)(19580395003)(19580405001)(92566002)(3846002)(50986999)(54356999)(102836003)(97736004)(3280700002)(5002640100001)(4326007)(2950100001)(77096005)(93886004)(87936001)(86362001)(81166006)(81156014)(68736007)(3660700001)(8936002)(15975445007)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1824; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E41FF8D10191C448A33E2A0E220C7C0B@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2016 18:19:32.3164 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1824
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GhUB5f3NNCD4jYxW85bchdiFg_I>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 18:19:41 -0000

Hi Watson,

On 23/07/2016 17:03, "Watson Ladd" <watsonbladd@gmail.com> wrote:

>On Sat, Jul 23, 2016 at 7:35 AM, Paterson, Kenny
><Kenny.Paterson@rhul.ac.uk> wrote:
>> Dear Andreas,
>>
>> Thanks for pushing the new version.
>>
>> Stephen and I had a chat at IETF 96 this week. His original suggestion
>>for
>> text to be added was this [1]:
>>
>> "All quantum-resistant algorithms documented by CFRG are today
>> considered ready for experimentation and further engineering
>> development (e.g. to establish the impact of performance and sizes
>> on IETF protocols) but CFRG has consensus that we are not yet
>> sufficiently confident to the point where we would want the security
>> or privacy of a significant part of the Internet to be dependent on
>> any set of those algorithms. In future, as things mature, CFRG
>> intends to publish updated guidance on this topic."
>>
>> Personally, I think this is too strong for hash-based signatures:
>>although
>> we have no deployment experience (that I know of), we do have fairly
>> strong confidence in the security of hash-based signatures against
>>quantum
>> computers, given the current state of the art of research in quantum
>> algorithms. I'd suggest instead that some text like this should be
>> included:
>>
>>
>> "All quantum-resistant algorithms documented by CFRG are today
>> considered ready for experimentation and further engineering
>> development (e.g. to establish the impact of performance and sizes
>> on IETF protocols). However, at the time of writing, we do not have
>> significant deployment experience with such algorithms.
>> CFRG consensus is that we are confident in the security of the
>> signature schemes described in this document against
>>
>> quantum computers, given the current state of the research
>> community's knowledge about quantum algorithms. Indeed, we are
>> confident that the security of a significant part of the Internet
>> could be made dependent on the signature schemes defined in this
>> document."
>>
>> I realise that's a pretty strong statement that is the opposite of what
>> Stephen suggested *for these signature schemes*.
>>
>> So let's discuss a bit more, and see if there is consensus from CFRG for
>> the statement I've made here. Happy also to receive suggestions for
>> alternative, better-worded statements.
>
>I like the second in terms of what it means.
>
>Minor wordsmithing suggestions: Remove "given the current state of the
>research community's knowledge about quantum algorithms". This caveat
>applies to almost all schemes: new attacks could be discovered later.

Fair enough.

>The last sentence seems a bit too strong and redundant at the same
>time. We're assuming we could make the Internet work with this, but
>don't have deployment experience. How about "This scheme is
>sufficiently secure for use in all Internet protocols, and it will
>require deployment experience to see if its use is feasible"? I
>wouldn't object to the current text either.

Your proposal is definitely better, thanks.

Cheers

Kenny

>
>>
>> Cheers,
>>
>>
>> Kenny
>>
>> [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg08315.html
>>
>> On 06/07/2016 15:53, "Cfrg on behalf of A. Huelsing"
>> <cfrg-bounces@irtf.org on behalf of ietf@huelsing.net> wrote:
>>
>>>Hi,
>>>
>>>we pushed a new version that further simplifies the addresses due to a
>>>comment we received off-list. It is a minor change that simplifies
>>>implementation of addresses as u_int32 array. We did not take any action
>>>regarding Stephens comment, yet. For this we want to get more feedback
>>>on what we should do.
>>>
>>>Andreas
>>>
>>>
>>>
>>>On 07/06/16 16:45, internet-drafts@ietf.org wrote:
>>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>>directories.
>>>> This draft is a work item of the Crypto Forum of the IETF.
>>>>
>>>>         Title           : XMSS: Extended Hash-Based Signatures
>>>>         Authors         : Andreas Huelsing
>>>>                           Denis Butin
>>>>                           Stefan-Lukas Gazdag
>>>>                           Aziz Mohaisen
>>>>      Filename        :
>>>>draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
>>>>      Pages           : 66
>>>>      Date            : 2016-07-06
>>>>
>>>> Abstract:
>>>>    This note describes the eXtended Merkle Signature Scheme (XMSS), a
>>>>    hash-based digital signature system.  It follows existing
>>>>    descriptions in scientific literature.  The note specifies the
>>>>WOTS+
>>>>    one-time signature scheme, a single-tree (XMSS) and a multi-tree
>>>>    variant (XMSS^MT) of XMSS.  Both variants use WOTS+ as a main
>>>>    building block.  XMSS provides cryptographic digital signatures
>>>>    without relying on the conjectured hardness of mathematical
>>>>problems.
>>>>    Instead, it is proven that it only relies on the properties of
>>>>    cryptographic hash functions.  XMSS provides strong security
>>>>    guarantees and is even secure when the collision resistance of the
>>>>    underlying hash function is broken.  It is suitable for compact
>>>>    implementations, relatively simple to implement, and naturally
>>>>    resists side-channel attacks.  Unlike most other signature systems,
>>>>    hash-based signatures withstand attacks using quantum computers.
>>>>
>>>>
>>>> The IETF datatracker status page for this draft is:
>>>>
>>>>https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signat
>>>>ur
>>>>es/
>>>>
>>>> There's also a htmlized version available at:
>>>>
>>>>https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-
>>>>06
>>>>
>>>> A diff from the previous version is available at:
>>>>
>>>>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-xmss-hash-based-signa
>>>>tu
>>>>res-06
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>>submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>
>>>> _______________________________________________
>>>> Cfrg mailing list
>>>> Cfrg@irtf.org
>>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>>_______________________________________________
>>>Cfrg mailing list
>>>Cfrg@irtf.org
>>>https://www.irtf.org/mailman/listinfo/cfrg
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
>-- 
>"Man is born free, but everywhere he is in chains".
>--Rousseau.

v2.23.0 | Report a Bug | By Email