Re: [Cfrg] [MASSMAIL] Re: New Version Notification for draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
"A. Huelsing" <ietf@huelsing.net> Fri, 13 May 2016 17:57 UTC
Return-Path: <ietf@huelsing.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE45F12D517 for <cfrg@ietfa.amsl.com>; Fri, 13 May 2016 10:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2jxZ_Mc359y for <cfrg@ietfa.amsl.com>; Fri, 13 May 2016 10:57:14 -0700 (PDT)
Received: from www363.your-server.de (www363.your-server.de [78.46.179.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A455812D668 for <cfrg@irtf.org>; Fri, 13 May 2016 10:57:14 -0700 (PDT)
Received: from [88.198.220.131] (helo=sslproxy02.your-server.de) by www363.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from <ietf@huelsing.net>) id 1b1HKq-0000K3-AU; Fri, 13 May 2016 19:57:12 +0200
Received: from [89.248.140.14] (helo=[10.22.133.126]) by sslproxy02.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <ietf@huelsing.net>) id 1b1HKq-0002ac-27; Fri, 13 May 2016 19:57:12 +0200
To: Grigory Marshalko <marshalko_gb@tc26.ru>, cfrg@irtf.org
References: <56C1BCB1.5070907@huelsing.net> <1c560f574874dabc9a28a8fa0835335f@mail.tc26.ru>
From: "A. Huelsing" <ietf@huelsing.net>
Message-ID: <57361576.1040107@huelsing.net>
Date: Fri, 13 May 2016 19:57:10 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <1c560f574874dabc9a28a8fa0835335f@mail.tc26.ru>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Authenticated-Sender: ietf@huelsing.net
X-Virus-Scanned: Clear (ClamAV 0.99/21539/Fri May 13 18:56:52 2016)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/ThtjD6Zz1EilcrCB3NJzqvsGtuw>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL] Re: New Version Notification for draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2016 17:57:18 -0000
Hi,
so the way you access the security level only applies for key only
attacks that have the goal to find a valid secret key. This is by far
the weakest security model we got for signatures and generally not
considered sufficient. For signatures we want something called
existential unforgeability under adaptive chosen message attacks. Here
the goal of an adversary is to forge a signature (for which key
retrieval is only one viable way). Also, the attacker gets more power,
i.e. (s)he is assumed to be able to obtain valid signatures for messages
of her choice, adaptively. That's why the argument which we do not
really have in the draft but in the accompanying paper is much more
complicated.
Best regards,
Andreas
On 05/12/16 20:28, Grigory Marshalko wrote:
> Hi,
>
> started reading the draft, and I think that the general security considerations in clause 8 about bit security are a little bit misleading. If we recall Shannon definition of "practical" security, which is defined as "the average
> amount (the expectation) of work to determine the right key", we can see that it follows from quite natural algorithm for key guessing: take the first key, check it, it is correct key with probability 1/N (N - is the number of keys), if not - take the second key, it is correct with the same probability ... etc. So we can get the average amount of work as \sum_{i=1}^{N}i/N=(N+1)/2~N/2, and this is, I think, the right description of a bit security with parameter b (2^b=N) - not as stated in the draft. Or you have in mind smth. different?
>
>
> Regards,
> Grigory Marshalko,
> expert,
> Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)
> www.tc26.ru
> 15 февраля 2016 г., 14:55, "A. Huelsing" <ietf@huelsing.net> написал:
>> Hi,
>>
>> we pushed a new version of the XMSS draft for hash-based signatures. The
>> two main changes are
>> 1. We incorporate the index of a signature to compute the message
>> representative: M' = H(idx || R || M). This allows to mitigate speed-ups
>> for attacks that collect many signatures and then try to forge a new
>> signature, finding a colliding (M,R) pair.
>> 2. We changed the address format to be more implementation friendly,
>> i.e., fields do not cross byte or word boundaries anymore (one exception
>> is a 40 bit field that simply does not fit a single word).
>> Besides we did some minor remaining fixes. A complete change log can be
>> found at the end of the draft.
>>
>>> From our side, the content of the draft is done with this update. We are
>> only considering to publish one more update with test vectors. However,
>> we are not entirely sure if this makes sense for such a scheme as it
>> would easily become 50 - 100 pages (we would have to add all signatures
>> for a key pair...). We would instead prefer to accompany the draft with
>> a reference implementation that can be used to validate implementations.
>>
>> We currently got two independent reference implementations of the last
>> version of the draft that were tested against each other. We will update
>> them during the coming days to meet this version.
>>
>> Cheers,
>>
>> Stefan, Denis & Andreas
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] New Version Notification for draft-irt… A. Huelsing
- Re: [Cfrg] New Version Notification for draft-irt… A. Huelsing
- Re: [Cfrg] [MASSMAIL] Re: New Version Notificatio… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL] Re: New Version Notificatio… A. Huelsing