IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt

"A. Huelsing" <ietf@huelsing.net> Tue, 26 July 2016 11:02 UTC

Return-Path: <ietf@huelsing.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C88F712D555 for <cfrg@ietfa.amsl.com>; Tue, 26 Jul 2016 04:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2utKvc0knsK for <cfrg@ietfa.amsl.com>; Tue, 26 Jul 2016 04:02:46 -0700 (PDT)
Received: from www363.your-server.de (www363.your-server.de [78.46.179.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2204B12D1C0 for <cfrg@irtf.org>; Tue, 26 Jul 2016 04:02:45 -0700 (PDT)
Received: from [88.198.220.130] (helo=sslproxy01.your-server.de) by www363.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from <ietf@huelsing.net>) id 1bS08J-0004It-2s; Tue, 26 Jul 2016 13:02:43 +0200
Received: from [131.155.68.224] by sslproxy01.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <ietf@huelsing.net>) id 1bS08I-0003Sw-Sh; Tue, 26 Jul 2016 13:02:42 +0200
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Watson Ladd <watsonbladd@gmail.com>
References: <20160706144508.25995.18605.idtracker@ietfa.amsl.com> <577D1B6E.1020506@huelsing.net> <D3B93AC9.7187E%kenny.paterson@rhul.ac.uk> <994C5976EA09B556.08963792-86E6-4CE4-95FB-23F0F6046EC0@mail.outlook.com> <C6F5FDF9-6A09-4ECB-AAF5-985BF06F0F83@rhul.ac.uk> <69e0bf26-c079-75fb-0a5c-751bf3581016@cs.tcd.ie> <CACsn0cnU1UM1_4Y7at7ov0rr94-YWm0Boogs7R916P2Lk_BpPw@mail.gmail.com> <21d8f293-d302-6ead-66d9-cc05db238348@cs.tcd.ie> <454b1115-787b-f148-1448-58e7de1620c7@huelsing.net> <d8c335ef-f486-708f-5736-03a1a3a947f0@cs.tcd.ie> <037bc196-3ddd-4f36-b5d6-3d3e65aefee8@huelsing.net> <5acb49c7-9782-cdc0-1358-2dfd62094fe3@cs.tcd.ie>
From: "A. Huelsing" <ietf@huelsing.net>
Message-ID: <0e502c44-2ad3-f391-3070-49e4ff9afaee@huelsing.net>
Date: Tue, 26 Jul 2016 13:02:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <5acb49c7-9782-cdc0-1358-2dfd62094fe3@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: ietf@huelsing.net
X-Virus-Scanned: Clear (ClamAV 0.99.2/21972/Tue Jul 26 08:57:26 2016)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TR-ZmdbpLkb_u78B5uWrMdfQZmk>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 11:02:48 -0000

Hi,

>> The reason
>> being that the required solution differs. E.g., for lattice-based
>> key-exchange where we still got some doubts on the actual security
>> of specific parameter sets, the solution is to deploy it right now in
>> combination with a non-pq but classically secure scheme. 
> I agree that design seems to have merit. I'm not at the point
> where I think it is "the solution."
Yes, sorry. It should be "a possible solution". 
>> That way,
>> we at least get the same security as before... 
> But we break interop, we add new kinds of code with which not
> many are familiar, we make some values much bigger than those
> for which protocols were designed and maybe we change performance
> characteristics in unexpected ways. So it is not clear to me
> that the do-it-in-parallel design is one that we do want to
> recommend yet. (I do expect we'll get there but I don't want
> to see getting there delaying more and better deployment of
> current technologies.)

Sure, but isn't this something a working group should
always check before suggesting to use a new building block.
(I am referring to the working groups that are using e.g. crypto)
It is definitely our part to place a warning sign on building
blocks that behave significantly different than previous ones.

v2.23.0 | Report a Bug | By Email