Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sat, 23 July 2016 18:19 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C9EC12D664 for <cfrg@ietfa.amsl.com>; Sat, 23 Jul 2016 11:19:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2bsLRvduR15 for <cfrg@ietfa.amsl.com>; Sat, 23 Jul 2016 11:19:37 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0041.outbound.protection.outlook.com [104.47.1.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33D4912D576 for <cfrg@irtf.org>; Sat, 23 Jul 2016 11:19:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=elyIApiRy9KJoq6n8Fwk2vA7fRvjhnPFB7e37WPKra0=; b=OQetY81US5a40KXUvPPYcycR8YtMNcAJyK4DJSwOVGgZEtzVwA9o5TulgWlEBFGY7Go4dGCzm7jcDnM+c7ZJPwy/I2KxXTrDrzV8x43+2Ic8VsuGAbT0sx9NUP8UOxvNbYzpFe2OgWUdq8sww/PWseGpxbRjqSbBOARn87/X5rU=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1824.eurprd03.prod.outlook.com (10.166.42.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.10; Sat, 23 Jul 2016 18:19:32 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0544.018; Sat, 23 Jul 2016 18:19:32 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
Thread-Index: AQHR15UYqNPamwit8kua06Zbbm7UcKALfSwAgBrD+ICAAAc9AIAAN3WA
Date: Sat, 23 Jul 2016 18:19:32 +0000
Message-ID: <D3B9743A.71997%kenny.paterson@rhul.ac.uk>
References: <20160706144508.25995.18605.idtracker@ietfa.amsl.com> <577D1B6E.1020506@huelsing.net> <D3B93AC9.7187E%kenny.paterson@rhul.ac.uk> <CACsn0cn-tpMnLjYFH7a6NT8N3tbYob2W=CCycXRwhTn=3J7e4Q@mail.gmail.com>
In-Reply-To: <CACsn0cn-tpMnLjYFH7a6NT8N3tbYob2W=CCycXRwhTn=3J7e4Q@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [78.146.50.187]
x-ms-office365-filtering-correlation-id: 0f2bd0d1-4f18-44e4-177b-08d3b325e4e0
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1824; 6:U0mqZwZs/ZhK4nS03aa8NwFfr7ZhxKttrE7YhGSHkub0wln+ndyfzaMeRke5tJFGCXf2/KdIHylBXU+PCoTDT9pyVUiHUvsn11hOk9F0bx6cxut+lMxGxfVYdOgkQqC1FEPrI0mz0tgZzqfde+gupO1PzD/0o1ZlYmiR6er4VwSnjr4wAleTiosLmBLaHQ1PrBwVxy4EGRjLb4IAV6Jc7zzLyocxcbEhMYjJ9usV/FjLx8RBLYPDTYQ0pcJCCFbfPG7OpWtfmDhZc6pakGrLCrXau0USswpZFBeE4L52JU0=; 5:Rm/84buNP8vjY5mKyB0w+sxDkdlN4Rbz98cNfqehsHrPfllIbl4207oiYcDOjrxR6ZseH7Guq6plFYOKsldv09JXBf8xoBrUY0xbtJQuJ39/KaviVQbA1CWExEs52I1DamMKNarLSvVAsHUOHD7lwA==; 24:uC0KfdoI67iEsCqhQIiS0vloq9MQ5QNwlTTup3zsZOSW4sEplDWcSgMWOilGC+/xfBDlObyfVSIzBS4aU7x1FKurUQDSwOHPsmu8AdG8PeQ=; 7:6wMpA3fewgSfWVLdzNGyqLJcrZlOZbZlrQb1NpSrkKl5aeVsSJmmkhUdsLTxT7PoHWPQc5C7g4F0korPL4QEFqdrtT/nd/C00faMB50kHn/SCu2++PZlVsf33agxYmby/miwwArC0hJgHcfX3A1HQTg07xNGqh7RE97DVBwkHzUHwIku7Y/uqSPb5X/XBx5CiVigGjRAQeYUU5QaQ8AVjWvET8x+xygrbBfwburX9c0IlXYHcWNXfR++NYWeFu5y
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1824;
x-microsoft-antispam-prvs: <VI1PR03MB1824AC6C16C05C0DC818D8FBBC0B0@VI1PR03MB1824.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(100405760836317)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:VI1PR03MB1824; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1824;
x-forefront-prvs: 0012E6D357
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(24454002)(199003)(377424004)(189002)(377454003)(105586002)(7736002)(10400500002)(7846002)(305945005)(189998001)(122556002)(2900100001)(106116001)(8676002)(110136002)(4001350100001)(106356001)(586003)(36756003)(101416001)(66066001)(561944003)(230783001)(11100500001)(6116002)(1411001)(68196006)(83506001)(76176999)(74482002)(19580395003)(19580405001)(92566002)(3846002)(50986999)(54356999)(102836003)(97736004)(3280700002)(5002640100001)(4326007)(2950100001)(77096005)(93886004)(87936001)(86362001)(81166006)(81156014)(68736007)(3660700001)(8936002)(15975445007)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1824; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E41FF8D10191C448A33E2A0E220C7C0B@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2016 18:19:32.3164 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1824
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GhUB5f3NNCD4jYxW85bchdiFg_I>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 18:19:41 -0000
Hi Watson, On 23/07/2016 17:03, "Watson Ladd" <watsonbladd@gmail.com> wrote: >On Sat, Jul 23, 2016 at 7:35 AM, Paterson, Kenny ><Kenny.Paterson@rhul.ac.uk> wrote: >> Dear Andreas, >> >> Thanks for pushing the new version. >> >> Stephen and I had a chat at IETF 96 this week. His original suggestion >>for >> text to be added was this [1]: >> >> "All quantum-resistant algorithms documented by CFRG are today >> considered ready for experimentation and further engineering >> development (e.g. to establish the impact of performance and sizes >> on IETF protocols) but CFRG has consensus that we are not yet >> sufficiently confident to the point where we would want the security >> or privacy of a significant part of the Internet to be dependent on >> any set of those algorithms. In future, as things mature, CFRG >> intends to publish updated guidance on this topic." >> >> Personally, I think this is too strong for hash-based signatures: >>although >> we have no deployment experience (that I know of), we do have fairly >> strong confidence in the security of hash-based signatures against >>quantum >> computers, given the current state of the art of research in quantum >> algorithms. I'd suggest instead that some text like this should be >> included: >> >> >> "All quantum-resistant algorithms documented by CFRG are today >> considered ready for experimentation and further engineering >> development (e.g. to establish the impact of performance and sizes >> on IETF protocols). However, at the time of writing, we do not have >> significant deployment experience with such algorithms. >> CFRG consensus is that we are confident in the security of the >> signature schemes described in this document against >> >> quantum computers, given the current state of the research >> community's knowledge about quantum algorithms. Indeed, we are >> confident that the security of a significant part of the Internet >> could be made dependent on the signature schemes defined in this >> document." >> >> I realise that's a pretty strong statement that is the opposite of what >> Stephen suggested *for these signature schemes*. >> >> So let's discuss a bit more, and see if there is consensus from CFRG for >> the statement I've made here. Happy also to receive suggestions for >> alternative, better-worded statements. > >I like the second in terms of what it means. > >Minor wordsmithing suggestions: Remove "given the current state of the >research community's knowledge about quantum algorithms". This caveat >applies to almost all schemes: new attacks could be discovered later. Fair enough. >The last sentence seems a bit too strong and redundant at the same >time. We're assuming we could make the Internet work with this, but >don't have deployment experience. How about "This scheme is >sufficiently secure for use in all Internet protocols, and it will >require deployment experience to see if its use is feasible"? I >wouldn't object to the current text either. Your proposal is definitely better, thanks. Cheers Kenny > >> >> Cheers, >> >> >> Kenny >> >> [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg08315.html >> >> On 06/07/2016 15:53, "Cfrg on behalf of A. Huelsing" >> <cfrg-bounces@irtf.org on behalf of ietf@huelsing.net> wrote: >> >>>Hi, >>> >>>we pushed a new version that further simplifies the addresses due to a >>>comment we received off-list. It is a minor change that simplifies >>>implementation of addresses as u_int32 array. We did not take any action >>>regarding Stephens comment, yet. For this we want to get more feedback >>>on what we should do. >>> >>>Andreas >>> >>> >>> >>>On 07/06/16 16:45, internet-drafts@ietf.org wrote: >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>directories. >>>> This draft is a work item of the Crypto Forum of the IETF. >>>> >>>> Title : XMSS: Extended Hash-Based Signatures >>>> Authors : Andreas Huelsing >>>> Denis Butin >>>> Stefan-Lukas Gazdag >>>> Aziz Mohaisen >>>> Filename : >>>>draft-irtf-cfrg-xmss-hash-based-signatures-06.txt >>>> Pages : 66 >>>> Date : 2016-07-06 >>>> >>>> Abstract: >>>> This note describes the eXtended Merkle Signature Scheme (XMSS), a >>>> hash-based digital signature system. It follows existing >>>> descriptions in scientific literature. The note specifies the >>>>WOTS+ >>>> one-time signature scheme, a single-tree (XMSS) and a multi-tree >>>> variant (XMSS^MT) of XMSS. Both variants use WOTS+ as a main >>>> building block. XMSS provides cryptographic digital signatures >>>> without relying on the conjectured hardness of mathematical >>>>problems. >>>> Instead, it is proven that it only relies on the properties of >>>> cryptographic hash functions. XMSS provides strong security >>>> guarantees and is even secure when the collision resistance of the >>>> underlying hash function is broken. It is suitable for compact >>>> implementations, relatively simple to implement, and naturally >>>> resists side-channel attacks. Unlike most other signature systems, >>>> hash-based signatures withstand attacks using quantum computers. >>>> >>>> >>>> The IETF datatracker status page for this draft is: >>>> >>>>https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signat >>>>ur >>>>es/ >>>> >>>> There's also a htmlized version available at: >>>> >>>>https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures- >>>>06 >>>> >>>> A diff from the previous version is available at: >>>> >>>>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-xmss-hash-based-signa >>>>tu >>>>res-06 >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >>>>submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> _______________________________________________ >>>> Cfrg mailing list >>>> Cfrg@irtf.org >>>> https://www.irtf.org/mailman/listinfo/cfrg >>> >>>_______________________________________________ >>>Cfrg mailing list >>>Cfrg@irtf.org >>>https://www.irtf.org/mailman/listinfo/cfrg >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > > >-- >"Man is born free, but everywhere he is in chains". >--Rousseau.
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… A. Huelsing
- [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-base… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Stephen Farrell
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Stephen Farrell
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… A. Huelsing
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Kyle Rose
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Stephen Farrell
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… A. Huelsing
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… A. Huelsing
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… A. Huelsing
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Stephen Farrell
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Rene Struik
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Stephen Farrell
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Paterson, Kenny
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Phillip Hallam-Baker
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Paterson, Kenny
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Paterson, Kenny
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… A. Huelsing
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-… Paterson, Kenny